Moodle

mod/feedback:complete marked with XSS risk

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: 1.9.4, 2.0
  • Fix Version/s: 1.9.5, 2.0
  • Component/s: Feedback
  • Labels:
    None
  • Affected Branches:
    MOODLE_19_STABLE, MOODLE_20_STABLE
  • Fixed Branches:
    MOODLE_19_STABLE, MOODLE_20_STABLE

Description

mod/feedback:complete capability is given to user, but is marked as RISK_XSS
This is not possible, no XSS cap may be given to students. I suppose you meant to set SPAM risk there only, right?

Issue Links

This issue has been marked as being related by:
MDL-18033 Security Report erroneous Critical warning on Windows System for default role Major Closed
MDL-18037 Thousands of users that must be trustable on Security Report Minor Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Petr Škoda (skodak) added a comment -

I have committed a patch that removes the XSS risk from this cap, please review the code, thanks

Show
Petr Škoda (skodak) added a comment - I have committed a patch that removes the XSS risk from this cap, please review the code, thanks
Hide
Permalink
Andreas Grabs added a comment -

Thank you !

Show
Andreas Grabs added a comment - Thank you !
Hide
Permalink
Petr Škoda (skodak) added a comment -

I have added the fix into 1.9.x contrib branch too because it was causing problems in security overview report, thanks.

Show
Petr Škoda (skodak) added a comment - I have added the fix into 1.9.x contrib branch too because it was causing problems in security overview report, thanks.
Hide
Permalink
Petr Škoda (skodak) added a comment -

oops, forgot to bump up version number in 19 branch, sorrry

Show
Petr Škoda (skodak) added a comment - oops, forgot to bump up version number in 19 branch, sorrry
Hide
Permalink
Tim Hunt added a comment -

Good fix. Thanks.

Show
Tim Hunt added a comment - Good fix. Thanks.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.