Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-20812 Wiki 2.0 for Moodle - META
  3. MDL-23140

XSS in wiki pages and probably comments too

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • 2.0
    • 2.0
    • Wiki (2.x)
    • None
    • MOODLE_20_STABLE
    • MOODLE_20_STABLE

      Just search for format_text() and clean_text() in mod/wiki/*, you will get hits only in diff and upgrade, nowhere else!
      So I just disabled JS and added new page content with applet tag and it was renderer on the wiki page
      The comments use entity decoding but now cleaning if I read the code right, I was not able to test it because there were some fatal errors throws from the wiki comments functions.

      The rules are very simple: each student submitted text must be neutralised by format_text(), clean_text() or s()/p() right before outputting to page.

            andyjdavis Andrew Davis
            skodak Petr Skoda
            Nobody Nobody (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.