Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-11778

Malformed html accepted from users

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.8.2
    • Fix Version/s: 1.9
    • Component/s: Forum
    • Labels:
      None
    • Affected Branches:
      MOODLE_18_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE

      Description

      Forums are vulnerable to a type 2 XSS attack:

      http://en.wikipedia.org/wiki/Cross-site_scripting#Type_2

      It's a trivial matter to inject a span tag with CSS code (specify a font size of 2000 px and see what happens!) in the title of any discussion post, and I was also able to inject the same code into the body of a forum post. The latter, however, took a bit more wrangling; I had to submit my own POST request without using the form itself.

        Attachments

          Activity

            People

            Assignee:
            skodak Petr Skoda
            Reporter:
            windfate David Berk
            Tester:
            Nobody
            Participants:
            Component watchers:
            Andrew Nicols, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              3/Mar/08