Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 2.3.1, 2.4
-
Fix Version/s: 2.4
-
Component/s: Messages
-
Labels:
-
Testing Instructions:
1) this requires a moodle plugin that will send out notifications (with multiple lines, '\n'). In my case here i've here the plugins DB where i'm attempting to do this.
2) but really all we need to do to test this is :
a) test that messaging of notifications still work fine. One way is via mod forum post notifications (/mod/forum/lib.php:714: $eventdata->notification = 1; ). so you can play around with that, perhaps add multiple lines to that notification and see that they render fine in the messaging notifications page (message/index.php?viewing=recentnotifications).b) test that no malicious scripts can get through to any user via any of the messaging processors ( jabber, email, and we've tested the webui in (a) so we can trust core there
)1) this requires a moodle plugin that will send out notifications (with multiple lines, '\n'). In my case here i've here the plugins DB where i'm attempting to do this. 2) but really all we need to do to test this is : a) test that messaging of notifications still work fine. One way is via mod forum post notifications (/mod/forum/lib.php:714: $eventdata->notification = 1; ). so you can play around with that, perhaps add multiple lines to that notification and see that they render fine in the messaging notifications page (message/index.php?viewing=recentnotifications). b) test that no malicious scripts can get through to any user via any of the messaging processors ( jabber, email, and we've tested the webui in (a) so we can trust core there ) -
Affected Branches:MOODLE_23_STABLE, MOODLE_24_STABLE
-
Fixed Branches:MOODLE_24_STABLE
-
Pull from Repository:
-
Pull Master Branch:
-
Pull Master Diff URL:
Description
While working on MDLSITE-1427 : notifications (part of which were the comment from plugin comments ) were being renderered before converting text to html.
The patch here should now allow notifications to be formatted by text_to_html() which is called from within format_text().
Gliffy Diagrams
Attachments
Activity
- All
- Comments
- Work Log
- History
- Activity
- Links Hierarchy
please cherry-pick to stables as necessary.
The only question is whether we are double extra sure that this doesn't introduce the ability to inject html. Is there any way I can now add html in a comment and get it converted to HTML in a bad way. For example a script tag containing malicious script.
Thanks for the pointer Andrew,
i've tried with script tags and they aren't reflected after text_to_html() in the comments api (comment on a plugin here). They're not in the notification page either.
They are however showing up (script tags) in my email as plain text which seems fine.
So it seems i can trust our comments and core still! Sending up integration. (adding a test too)
up for integration review.
(this might be considered for picking to stable)
The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week.
TIA and ciao
The integration of this issue has been delayed to next week because the integration period is over (Monday, Tuesday) and testing must happen on Wednesday.
This change to a more rigid timeframe on each integration/testing cycle aims to produce a better and clear separation and organization of tasks for everybody.
This is a bulk-automated message, so if you want to blame some-body/thing/where, don't do it here (use git instead) :-D :-P
Apologizes for the inconvenient, this will be integrated next week. Thanks for your collaboration & ciao
The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week.
TIA and ciao
Thanks Apu, this has been integrated now
Works Grt,
Thanks for fixing this, Aparup.
Many thanks for the hard work.
These changes have been spread upstream and are already available in the git and cvs repositories.
Ciao
putting this up for Andrew's peer-review.
EDIT: added Petr for his insight into format_text(). no idea why FORMAT_HTML and FORMAT_MOODLE is so slightly different (call to text_to_html).