-
Bug
-
Resolution: Fixed
-
Minor
-
2.5.5, 2.6.2
-
MOODLE_25_STABLE, MOODLE_26_STABLE
-
MOODLE_25_STABLE, MOODLE_26_STABLE
-
MDL-45387-master -
Discovered while testing MDLQA-7051. When a file has aliases/shortcuts present in a course, and a user uses the file manager to edit the file's settings, the list of aliases/shortcuts is erroneously escaped.
What should happen
Each li element's contents should be escaped.
What actually happens
The entire contents of the ul, including the li tags, are escaped - resulting in http://puu.sh/8vLVh/70c902163c.png
The offending line of Javascript is here, introduced with MDL-37507 (security issue): https://github.com/moodle/moodle/blame/MOODLE_25_STABLE/lib/form/filemanager.js#L1022
After consulting with dobedobedoh, a way to fix this has been identified as instead of performing a Y.Escape on the entire contents as above, we should instead perform a Y.Escape in the preceding for loop, i.e.
for (var i in obj.references) {
|
node.reflist += '<li>'+Y.Escape.html(obj.references[i])+'</li>';
|
}
|
selectnode.one('.fp-reflist .fp-value').setContent(node.reflist);
|
Testing should encompass a re-test of MDL-37507 just in case to avoid any regressions.
- Testing discovered
-
MDLQA-7051 CLONE - Backup and restore activity with files references: Restoring after source files are updated
- Passed