Moodle

XSS in wiki pages and probably comments too

Details

  • Type: Sub-task Sub-task
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: 2.0
  • Fix Version/s: 2.0
  • Component/s: Wiki (2.x)
  • Labels:
    None
  • Affected Branches:
    MOODLE_20_STABLE
  • Fixed Branches:
    MOODLE_20_STABLE

Description

Just search for format_text() and clean_text() in mod/wiki/*, you will get hits only in diff and upgrade, nowhere else!
So I just disabled JS and added new page content with applet tag and it was renderer on the wiki page
The comments use entity decoding but now cleaning if I read the code right, I was not able to test it because there were some fatal errors throws from the wiki comments functions.

The rules are very simple: each student submitted text must be neutralised by format_text(), clean_text() or s()/p() right before outputting to page.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Martin Dougiamas added a comment -

Yes this is a very big one.

Show
Martin Dougiamas added a comment - Yes this is a very big one.
Hide
Permalink
Martin Dougiamas added a comment -

Hello? Jordi? Ludo tells me you've been working on these? If not can you let us know?

Show
Martin Dougiamas added a comment - Hello? Jordi? Ludo tells me you've been working on these? If not can you let us know?
Hide
Permalink
Martin Dougiamas added a comment -

Andrew, can you take this one, please?

All the wiki content should go through format_text().

Show
Martin Dougiamas added a comment - Andrew, can you take this one, please? All the wiki content should go through format_text().
Hide
Permalink
Jordi Piguillem Poch added a comment -

Hi Martin,

I commited some code a week ago. I added calls to format_text and format_string everywhere at pagelib.php and renderer.php

Show
Jordi Piguillem Poch added a comment - Hi Martin, I commited some code a week ago. I added calls to format_text and format_string everywhere at pagelib.php and renderer.php
Hide
Permalink
Andrew Davis added a comment -

This has been resolved since it was opened by Jordi and MDL-23456

Show
Andrew Davis added a comment - This has been resolved since it was opened by Jordi and MDL-23456

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.5#665-sha1:422aead) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.