Mahara

Skin title not escaped in page settings form

Bug #1707076 reported by Robert Lyon on 2017-07-27

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	High	Cecilia Vela Gurovic	Mahara 17.10.0
16.04	Fix Released	High	Unassigned	Mahara 16.04.8
16.10	Fix Released	High	Unassigned	Mahara 16.10.5
17.04	Fix Released	High	Unassigned	Mahara 17.04.3
17.10	Fix Released	High	Cecilia Vela Gurovic	Mahara 17.10.0

Bug Description

When testing https://bugs.launchpad.net/mahara/+bug/1706536 I noticed there was a problem on the page settings form where skin title was not being escaped.

To test:
1) Set up a skin with the title:

It's all <script>alert(1);</script>good!

2a) If the patch for bug 1706536 is in play it should show the title as inputed but not execute the js
2b) If the patch for bug 1706536 is not present it should show the title with special characters escaped but not execute the js

3) Go to pages and collections and edit a page
4) Click on settings

You get an alert box with '1' in it

The title for the skin needs to be escaped/made safe

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-07-31: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/7907

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-08-14: A change has been merged

Reviewed: https://reviews.mahara.org/7907
Committed: https://git.mahara.org/mahara/mahara/commit/9af077dba7bfb1aa2257e40be89f44ce9ec506c9
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 9af077dba7bfb1aa2257e40be89f44ce9ec506c9
Author: Cecilia Vela Gurovic <email address hidden>
Date: Mon Jul 31 17:02:36 2017 +1200

Bug 1707076: escape skin titles to display

behatnotneeded

Change-Id: I469f8136e287bb86eb17a32dbed48dec05b87969

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-09-04: A patch has been submitted for review

Patch for "16.04_STABLE" branch: https://reviews.mahara.org/7971

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-09-04:

Patch for "16.10_STABLE" branch: https://reviews.mahara.org/7972

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-09-04:

Patch for "17.04_STABLE" branch: https://reviews.mahara.org/7973

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-09-04: A change has been merged

Reviewed: https://reviews.mahara.org/7973
Committed: https://git.mahara.org/mahara/mahara/commit/356c8f1c10b0257459ccb1723c15dd6114141fa2
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit 356c8f1c10b0257459ccb1723c15dd6114141fa2
Author: Cecilia Vela Gurovic <email address hidden>
Date: Mon Jul 31 17:02:36 2017 +1200

Bug 1707076: escape skin titles to display

behatnotneeded

Change-Id: I469f8136e287bb86eb17a32dbed48dec05b87969

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-09-04:

Reviewed: https://reviews.mahara.org/7971
Committed: https://git.mahara.org/mahara/mahara/commit/b069c0a0462ee391ba7f16e67a7c85850850b43f
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit b069c0a0462ee391ba7f16e67a7c85850850b43f
Author: Cecilia Vela Gurovic <email address hidden>
Date: Mon Jul 31 17:02:36 2017 +1200

Bug 1707076: escape skin titles to display

behatnotneeded

Change-Id: I469f8136e287bb86eb17a32dbed48dec05b87969

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-09-04:

Reviewed: https://reviews.mahara.org/7972
Committed: https://git.mahara.org/mahara/mahara/commit/43d3ee28055eeece9d194664b049727b8d0c724e
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit 43d3ee28055eeece9d194664b049727b8d0c724e
Author: Cecilia Vela Gurovic <email address hidden>
Date: Mon Jul 31 17:02:36 2017 +1200

Bug 1707076: escape skin titles to display

behatnotneeded

Change-Id: I469f8136e287bb86eb17a32dbed48dec05b87969

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-10-04: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/8088

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-10-06: A change has been merged

#10

Reviewed: https://reviews.mahara.org/8088
Committed: https://git.mahara.org/mahara/mahara/commit/5f0016db8106342a2d2305fd278dfb109a54cc5f
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 5f0016db8106342a2d2305fd278dfb109a54cc5f
Author: Cecilia Vela Gurovic <email address hidden>
Date: Wed Oct 4 14:25:23 2017 +1300

Bug 1720269: old_raw patches for bugs: (create/edit views)

Bug 1718806
Bug 1718538
Bug 1707076
Bug 1693061
Bug 1692759
Bug 1692758
Bug 1690267
Bug 1668888
Bug 1693062
Bug 1688416
Bug 1677087

behatnotneeded

Change-Id: I467b2640a579ea93f8a1206d6d33ab54f1634751

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-10-06: A patch has been submitted for review

#11

Patch for "17.10_STABLE" branch: https://reviews.mahara.org/8097

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-10-06: A change has been merged

#12

Reviewed: https://reviews.mahara.org/8097
Committed: https://git.mahara.org/mahara/mahara/commit/a8a703746175d00fd4a0a77d75f56c332354fc07
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.10_STABLE

commit a8a703746175d00fd4a0a77d75f56c332354fc07
Author: Cecilia Vela Gurovic <email address hidden>
Date: Wed Oct 4 14:25:23 2017 +1300

Bug 1720269: old_raw patches for bugs: (create/edit views)

Bug 1718806
Bug 1718538
Bug 1707076
Bug 1693061
Bug 1692759
Bug 1692758
Bug 1690267
Bug 1668888
Bug 1693062
Bug 1688416
Bug 1677087

behatnotneeded

Change-Id: I467b2640a579ea93f8a1206d6d33ab54f1634751
(cherry picked from commit 5f0016db8106342a2d2305fd278dfb109a54cc5f)

Revision history for this message

Niranjan (niranjan528) wrote on 2018-02-22:

#13

1) Login to Mahara as an admin user.

2)Navigate to main menu> Portfolio > Skins

3) Click on Create skin

3) Enter the Skin title as "<script>alert(1);</script>good!"

4) Enter the skin description.

5) Click on save button.

6) Now navigate to main menu > Portfolio > pages & collections

7) Click on Add button

8) Select page

Actual Result: An alert popup appears and it triggers every time when settings button is pressed.

Expected Result: The page settings page should be displayed without any popup alerts.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.