Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-42269 Review all new events introduced in 2.6dev
  3. MDL-42584

there should be no user submitted html text in event description

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.6
    • Fix Version/s: 2.6
    • Component/s: Events API
    • Labels:
    • Sprint:
      BACKEND Sprint 6

      Description

      If there is user submitted text in event description we need to deal with XSS somehow, I guess it would be better to use only integers and safe strings there for now until we decide how to deal with this in logging and reports...

      Affected events:

      • blog_entry_created
      • blog_entry_deleted (collides with record in other field)
      • blog_entry_updated (incorrect single quotes)
      • course_module_created (modulename is ok)
      • course_module_updated
      • user_deleted
      • course_module_viewed (not sure about the 'content')

      Note: this is a minor issues because we can change descriptions at any time...

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rajeshtaneja Rajesh Taneja
              Reporter:
              skodak Petr Skoda
              Peer reviewer:
              Ankit Agarwal
              Integrator:
              Marina Glancy
              Tester:
              Marina Glancy
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                18/Nov/13