Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47995

resource_display_frame() and url_display_frame() does not encode title properly

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 2.8.7, 2.9.1
    • 2.5.6, 2.6.3, 2.7, 2.8.6, 2.9, 3.0
    • Resource
    • MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE
    • MOODLE_28_STABLE, MOODLE_29_STABLE
    • MDL-47995-master
    • Easy
    • Hide

      A) Preparation:
      1. As admin, go to mod_resource and mod_url admin settings and enable the "in frame" display format.

      B) Without the patch applied:
      1. Create "File" resource with title = name" onmouseover="javascript:alert('hey') and set the display format to "in frame". Upload image file as attachment.
      2. View the activity and hover the frames, you should get the "hey" alert.
      3. View html source and confirm that the frame has the onmouseover injected together with the title attribute (don't confuse it with the <title> tag, it's the "title" attribute of the 2nd frame.
      4. Repeat previous steps (1-3) for a "URL" resource.
      5. Repeat above steps with display format = Embed.

      C) With the patch applied:
      1. Visit the "File" resource created in B), and hover the frames. Now you should NOT get the "hey" alert anymore.
      2. View the html source and confirm that the double quotes in the tittle attribute are now escaped, hence now everything is the title (no onmouseover injection anymore).
      3. Repeat previous steps (1-2) for the existing "URL" resource.
      4. Repeat above steps with display format = Embed.

      That's all!

      Show
      A) Preparation: 1. As admin, go to mod_resource and mod_url admin settings and enable the "in frame" display format. B) Without the patch applied: 1. Create "File" resource with title = name" onmouseover="javascript:alert('hey') and set the display format to "in frame". Upload image file as attachment. 2. View the activity and hover the frames, you should get the "hey" alert. 3. View html source and confirm that the frame has the onmouseover injected together with the title attribute (don't confuse it with the <title> tag, it's the "title" attribute of the 2nd frame. 4. Repeat previous steps (1-3) for a "URL" resource. 5. Repeat above steps with display format = Embed. C) With the patch applied: 1. Visit the "File" resource created in B), and hover the frames. Now you should NOT get the "hey" alert anymore. 2. View the html source and confirm that the double quotes in the tittle attribute are now escaped, hence now everything is the title (no onmouseover injection anymore). 3. Repeat previous steps (1-2) for the existing "URL" resource. 4. Repeat above steps with display format = Embed. That's all!

      This is not a security issue because you need cap with RISK_XSS to edit resource, but anyway this sloppy code should be fixed, this is a regressions from MDL-31311

      <frame src="$exteurl" title="$contentframetitle"/>

            lameze Simey Lameze
            skodak Petr Skoda
            Simey Lameze Simey Lameze
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Jetha Chan Jetha Chan
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.