Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-49304

Unbalanced html tags can make pages completely unusable

XMLWordPrintable

    • MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_38_STABLE, MOODLE_400_STABLE
    • MDL-49304-master-3
    • Hide

      Disable the atto html editor.
      Go to a course.
      Turn editing on.
      Edit one of the course's topics. (take note of the editsection.php URL)
      add the following bad HTML to the summary.

      </div></div></div>
      <script>
      <script type="text/javascript">
      <!--

      Save changes.

      Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.)

      With the patch the course will continue to display correctly.

      Show
      Disable the atto html editor. Go to a course. Turn editing on. Edit one of the course's topics. (take note of the editsection.php URL) add the following bad HTML to the summary. </div></div></div> <script> <script type="text/javascript"> <!-- Save changes. Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.) With the patch the course will continue to display correctly.
    • 2
    • International 4.0 - Sprint 2, International 4.0 - Sprint 3, International 4.0 - Sprint 4, International 4.0 - Sprint 5, International 4.0 - Sprint 6, International 4.0 - Sprint 7, Internationals - 3.11 Sprint 4, Internationals - 3.11 Sprint 5

      If you enter code in an editor (or textarea) with unbalanced div tags, script tags, or html comments, it can completely break page rendering.

      At some point, it was decided that teachers are inherently trusted because there are some things they have to be able to do that would give them XSS capability. Because of that, we do absolutely no sanitization of teacher content in places like course sections, and we very frequently run into problems where they paste content from somewhere and it has unbalanced tags that then makes it impossible to fix via the UI.

            dobedobedoh Andrew Lyons
            emerrill Eric Merrill
            Tim Hunt Tim Hunt
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Votes:
            17 Vote for this issue
            Watchers:
            29 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 days, 6 hours, 37 minutes
                2d 6h 37m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.