Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-42269 Review all new events introduced in 2.6dev
  3. MDL-42584

there should be no user submitted html text in event description

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.6
    • Fix Version/s: 2.6
    • Component/s: Events API
    • Labels:
    • Sprint:
      BACKEND Sprint 6

      Description

      If there is user submitted text in event description we need to deal with XSS somehow, I guess it would be better to use only integers and safe strings there for now until we decide how to deal with this in logging and reports...

      Affected events:

      • blog_entry_created
      • blog_entry_deleted (collides with record in other field)
      • blog_entry_updated (incorrect single quotes)
      • course_module_created (modulename is ok)
      • course_module_updated
      • user_deleted
      • course_module_viewed (not sure about the 'content')

      Note: this is a minor issues because we can change descriptions at any time...

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rajeshtaneja Rajesh Taneja
                Reporter:
                skodak Petr Skoda
                Peer reviewer:
                Ankit Agarwal
                Integrator:
                Marina Glancy
                Tester:
                Marina Glancy
                Participants:
                Component watchers:
                Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  18/Nov/13