Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47995

resource_display_frame() and url_display_frame() does not encode title properly

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.5.6, 2.6.3, 2.7, 2.8.6, 2.9, 3.0
    • Fix Version/s: 2.8.7, 2.9.1
    • Component/s: Resource
    • Labels:
    • Testing Instructions:
      Hide

      A) Preparation:
      1. As admin, go to mod_resource and mod_url admin settings and enable the "in frame" display format.

      B) Without the patch applied:
      1. Create "File" resource with title = name" onmouseover="javascript:alert('hey') and set the display format to "in frame". Upload image file as attachment.
      2. View the activity and hover the frames, you should get the "hey" alert.
      3. View html source and confirm that the frame has the onmouseover injected together with the title attribute (don't confuse it with the <title> tag, it's the "title" attribute of the 2nd frame.
      4. Repeat previous steps (1-3) for a "URL" resource.
      5. Repeat above steps with display format = Embed.

      C) With the patch applied:
      1. Visit the "File" resource created in B), and hover the frames. Now you should NOT get the "hey" alert anymore.
      2. View the html source and confirm that the double quotes in the tittle attribute are now escaped, hence now everything is the title (no onmouseover injection anymore).
      3. Repeat previous steps (1-2) for the existing "URL" resource.
      4. Repeat above steps with display format = Embed.

      That's all!

      Show
      A) Preparation: 1. As admin, go to mod_resource and mod_url admin settings and enable the "in frame" display format. B) Without the patch applied: 1. Create "File" resource with title = name" onmouseover="javascript:alert('hey') and set the display format to "in frame". Upload image file as attachment. 2. View the activity and hover the frames, you should get the "hey" alert. 3. View html source and confirm that the frame has the onmouseover injected together with the title attribute (don't confuse it with the <title> tag, it's the "title" attribute of the 2nd frame. 4. Repeat previous steps (1-3) for a "URL" resource. 5. Repeat above steps with display format = Embed. C) With the patch applied: 1. Visit the "File" resource created in B), and hover the frames. Now you should NOT get the "hey" alert anymore. 2. View the html source and confirm that the double quotes in the tittle attribute are now escaped, hence now everything is the title (no onmouseover injection anymore). 3. Repeat previous steps (1-2) for the existing "URL" resource. 4. Repeat above steps with display format = Embed. That's all!
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE
    • Fixed Branches:
      MOODLE_28_STABLE, MOODLE_29_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-47995-master

      Description

      This is not a security issue because you need cap with RISK_XSS to edit resource, but anyway this sloppy code should be fixed, this is a regressions from MDL-31311

      <frame src="$exteurl" title="$contentframetitle"/>
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  6/Jul/15