Issue Details (XML | Word | Printable)

Key: MDL-10633
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Minor Minor
Assignee: Dongsheng Cai
Reporter: Kenneth Newquist
Votes: 10
Watchers: 5
Operations

Add/Edit UI Mockup to this issue
If you were logged in you would be able to see more operations.
Moodle

Event names in Calendar are not properly escaped with recursive_stripslashes

Created: 28/Jul/07 05:55 AM   Updated: 10/Jul/08 04:33 PM
Component/s: Calendar
Affects Version/s: 1.8.5, 1.9.1
Fix Version/s: 1.8.6, 1.9.2

File Attachments: 1. Text File calendar_recursive_event_patch.txt (0.8 kB)
Environment: Moodle 1.8.2+ (2007021520)

Participants: Dongsheng Cai, Eloy Lafuente (stronk7), Kenneth Newquist, Nicolas Connault and Petr Skoda
Security Level: None
QA Assignee: Petr Skoda
Resolved date: 02/Jul/08
Affected Branches: MOODLE_18_STABLE, MOODLE_19_STABLE
Fixed Branches: MOODLE_18_STABLE, MOODLE_19_STABLE


 Description  « Hide
Event titles in Calendar are not properly escaped for events spanning multiple days because it relies on "stripslashes" rather than "recursive_stripslashes" in /htdocs/calendar/event.php

This works for single events, but not multpile events, presmably because the names for multiple events are stored in an array.

The following code (on lines 163 and 173):

 $form->name = stripslashes($form->name);

Needs to be replaces with:

$form->name = stripslashes_recursive($form->name);

 All   Comments   Change History   Version Control      Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Kenneth Newquist added a comment - 16/Oct/07 09:27 PM
[bump]

[ Permalink | « Hide ]
Kenneth Newquist added a comment - 06/Jan/08 03:37 AM
This bug remains in Moodle 1.8.3 (2007021534).

To recreate it:

1. Create an event with quotes in the header or single quotes in the body.
2. Set the event to repeat for multiple days.
3. Save the event.
4. Open the event for editing. The slashes appear in the quotes and are saved when you save the event,.


[ Permalink | « Hide ]
Kenneth Newquist added a comment - 20/Jun/08 12:36 AM
This problem still exists in Moodle 1.9.1.

[ Permalink | « Hide ]
Kenneth Newquist added a comment - 20/Jun/08 03:24 AM
I verified the bug still exists in Moodle 1.9.1 (Build: 20080515). My proposed fix from way back in 1.7, however, is wrong; as that dealt with the logged version of the form name. I think the proper fix is to strip the slashes when loading the form data, and I've generated a patch that reflects that.

[ Permalink | « Hide ]
Eloy Lafuente (stronk7) added a comment - 22/Jun/08 09:17 AM
Hi Dongsheng, can you please take a look to this? TIA!

Ciao


[ Permalink | « Hide ]
Dongsheng Cai added a comment - 27/Jun/08 11:06 AM
Hi, Kenneth, thanks your patch, stripshashes and addslashes are called several times during these process, single and double quotes will be escaped again, so your change is good.

[ Permalink | « Hide ]
Dongsheng Cai added a comment - 27/Jun/08 11:13 AM
Please review, thanks.

[ Permalink | « Hide ]
Nicolas Connault added a comment - 01/Jul/08 04:00 PM
Tested in 1.8 and 1.9. Closing.

[ Permalink | « Hide ]
Petr Skoda added a comment - 02/Jul/08 06:44 AM
reopening, when you remove magic quotes please double check that you are not creating sql injections

going to fix the code now...


[ Permalink | « Hide ]
Petr Skoda added a comment - 02/Jul/08 07:03 AM
should be fixed now, please review and retest

[ Permalink | « Hide ]
Kenneth Newquist added a comment - 02/Jul/08 07:04 PM
Ugh. Sorry about that. I tested the updated file on my Moodle 1.9.1 (Build: 20080515) text site, and it worked perfectly. Thanks!

[ Permalink | « Hide ]
Petr Skoda added a comment - 10/Jul/08 04:33 PM
closing, thanks!


Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.5-#360) - Bug/feature request - Atlassian news - Contact Administrators