Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-20812 Wiki 2.0 for Moodle - META
  3. MDL-23140

XSS in wiki pages and probably comments too

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0
    • Component/s: Wiki (2.x)
    • Labels:
      None
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      Just search for format_text() and clean_text() in mod/wiki/*, you will get hits only in diff and upgrade, nowhere else!
      So I just disabled JS and added new page content with applet tag and it was renderer on the wiki page
      The comments use entity decoding but now cleaning if I read the code right, I was not able to test it because there were some fatal errors throws from the wiki comments functions.

      The rules are very simple: each student submitted text must be neutralised by format_text(), clean_text() or s()/p() right before outputting to page.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                24/Nov/10