Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-49304

Unbalanced html tags can make pages completely unusable

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reopened
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.7.7, 2.8.5
    • Fix Version/s: None
    • Component/s: General, HTML Editor (Atto)
    • Labels:
    • Testing Instructions:
      Hide

      Disable the atto html editor.
      Go to a course.
      Turn editing on.
      Edit one of the course's topics. (take note of the editsection.php URL)
      add the following bad HTML to the summary.

      </div></div></div>
      <script>
      <script type="text/javascript">
      <!--

      Save changes.

      Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.)

      With the patch the course will continue to display correctly.

      Show
      Disable the atto html editor. Go to a course. Turn editing on. Edit one of the course's topics. (take note of the editsection.php URL) add the following bad HTML to the summary. </div></div></div> <script> <script type="text/javascript"> <!-- Save changes. Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.) With the patch the course will continue to display correctly.
    • Affected Branches:
      MOODLE_27_STABLE, MOODLE_28_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-49304-master

      Description

      If you enter code in an editor (or textarea) with unbalanced div tags, script tags, or html comments, it can completely break page rendering.

      At some point, it was decided that teachers are inherently trusted because there are some things they have to be able to do that would give them XSS capability. Because of that, we do absolutely no sanitization of teacher content in places like course sections, and we very frequently run into problems where they paste content from somewhere and it has unbalanced tags that then makes it impossible to fix via the UI.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                5 Vote for this issue
                Watchers:
                13 Start watching this issue

                Dates

                • Created:
                  Updated: