[MDL-47995] resource_display_frame() and url_display_frame() does not encode title properly - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.5.6, 2.6.3, 2.7, 2.8.6, 2.9, 3.0
Fix Version/s: 2.8.7, 2.9.1
Component/s: Resource
Labels:
- ci
- triaged

Testing Instructions:

Hide

A) Preparation:
1. As admin, go to mod_resource and mod_url admin settings and enable the "in frame" display format.

B) Without the patch applied:
1. Create "File" resource with title = name" onmouseover="javascript:alert('hey') and set the display format to "in frame". Upload image file as attachment.
2. View the activity and hover the frames, you should get the "hey" alert.
3. View html source and confirm that the frame has the onmouseover injected together with the title attribute (don't confuse it with the <title> tag, it's the "title" attribute of the 2nd frame.
4. Repeat previous steps (1-3) for a "URL" resource.
5. Repeat above steps with display format = Embed.

C) With the patch applied:
1. Visit the "File" resource created in B), and hover the frames. Now you should NOT get the "hey" alert anymore.
2. View the html source and confirm that the double quotes in the tittle attribute are now escaped, hence now everything is the title (no onmouseover injection anymore).
3. Repeat previous steps (1-2) for the existing "URL" resource.
4. Repeat above steps with display format = Embed.

That's all!

Show
A) Preparation: 1. As admin, go to mod_resource and mod_url admin settings and enable the "in frame" display format. B) Without the patch applied: 1. Create "File" resource with title = name" onmouseover="javascript:alert('hey') and set the display format to "in frame". Upload image file as attachment. 2. View the activity and hover the frames, you should get the "hey" alert. 3. View html source and confirm that the frame has the onmouseover injected together with the title attribute (don't confuse it with the <title> tag, it's the "title" attribute of the 2nd frame. 4. Repeat previous steps (1-3) for a "URL" resource. 5. Repeat above steps with display format = Embed. C) With the patch applied: 1. Visit the "File" resource created in B), and hover the frames. Now you should NOT get the "hey" alert anymore. 2. View the html source and confirm that the double quotes in the tittle attribute are now escaped, hence now everything is the title (no onmouseover injection anymore). 3. Repeat previous steps (1-2) for the existing "URL" resource. 4. Repeat above steps with display format = Embed. That's all!
Difficulty:
Easy
Affected Branches:
MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE
Fixed Branches:
MOODLE_28_STABLE, MOODLE_29_STABLE
Pull from Repository:
git://github.com/lameze/moodle.git
Pull Master Branch:
~~MDL-47995~~-master
Pull Master Diff URL:
https://github.com/lameze/moodle/compare/803f5657...MDL-47995-master

Description

This is not a security issue because you need cap with RISK_XSS to edit resource, but anyway this sloppy code should be fixed, this is a regressions from ~~MDL-31311~~

<frame src="$exteurl" title="$contentframetitle"/>

Attachments

Issue Links

is a regression caused by

MDL-31311 Fix duplicate title attributes for iframed file and URL resources

Closed

Activity

People

Assignee:: Simey Lameze

Reporter:: Petr Skoda

Peer reviewer:: Simey Lameze

Integrator:: Eloy Lafuente (stronk7)

Tester:: Jetha Chan

Participants:: Andrew Nicols, CiBoT, David Monllaó, Eloy Lafuente (stronk7), Jetha Chan, Marina Glancy, Petr Skoda, Rajesh Taneja, Simey Lameze, Snigdha Sharma, Vlad Nistorica

Component watchers:: Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 31/Oct/14 6:28 PM

Updated:: 05/Jun/15 6:50 AM

Resolved:: 05/Jun/15 6:50 AM

Fix Release Date:: 6/Jul/15