[MDL-49304] Unbalanced html tags can make pages completely unusable - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Won't Do
Affects Version/s: 2.7.7, 2.8.5, 3.8.2, 4.0.5
Fix Version/s: None
Component/s: General, HTML Editor (Atto)
Labels:

Affected Branches:
MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_38_STABLE, MOODLE_400_STABLE
Epic Link:
Atto accessibility
Pull from Repository:
git://github.com/andrewnicols/moodle.git
Pull Master Branch:
~~MDL-49304~~-master-3
Pull Master Diff URL:
https://github.com/andrewnicols/moodle/compare/f852aa8ad5...MDL-49304-master-3
Testing Instructions:

Hide

Disable the atto html editor.
Go to a course.
Turn editing on.
Edit one of the course's topics. (take note of the editsection.php URL)
add the following bad HTML to the summary.

</div></div></div>
<script>
<script type="text/javascript">
<!--

Save changes.

Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.)

With the patch the course will continue to display correctly.

Show
Disable the atto html editor. Go to a course. Turn editing on. Edit one of the course's topics. (take note of the editsection.php URL) add the following bad HTML to the summary. </div></div></div> <script> <script type="text/javascript"> <!-- Save changes. Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.) With the patch the course will continue to display correctly.

Story Points:
2
Sprint:
International 4.0 - Sprint 2, International 4.0 - Sprint 3, International 4.0 - Sprint 4, International 4.0 - Sprint 5, International 4.0 - Sprint 6, International 4.0 - Sprint 7, Internationals - 3.11 Sprint 4, Internationals - 3.11 Sprint 5

Description

If you enter code in an editor (or textarea) with unbalanced div tags, script tags, or html comments, it can completely break page rendering.

At some point, it was decided that teachers are inherently trusted because there are some things they have to be able to do that would give them XSS capability. Because of that, we do absolutely no sanitization of teacher content in places like course sections, and we very frequently run into problems where they paste content from somewhere and it has unbalanced tags that then makes it impossible to fix via the UI.

Attachments

Issue Links

blocks

MDL-65210 Atto: client-side HTML cleanup is not enough

Closed

has been marked as being related by

MDL-47002 Atto cleaning sometimes leaves un-closed html comments

Closed

MDL-52724 Atto does not generate UL tags when pasting LI tags

Closed

is duplicated by

MDL-70636 Grid Course Layout: Incorrect list elements in text field mess up entire course structure

Closed

Activity

People

Assignee:: Andrew Lyons

Reporter:: Eric Merrill

Peer reviewer:: Tim Hunt

Integrator:: Eloy Lafuente (stronk7)

Participants:: Andrew Lyons, cameron1729, CiBoT, Damyon Wiese, Dan Poltawski, David Monllaó, Eloy Lafuente (stronk7), Eric Merrill, Jetha Chan, Marina Glancy, Mathieu Petit-Clair, Matthew G. Switlik, Matt Porritt, Nicolas Dunand, Shamim Rezaie, Simey Lameze, Tim Hunt

Component watchers:: Adrian Greeve, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 17 Vote for this issue

Watchers:: 29 Start watching this issue

Dates

Created:: 26/Feb/15 1:28 PM

Updated:: 23/Dec/22 8:53 AM

Resolved:: 23/Dec/22 8:53 AM

Time Tracking

Estimated:

Remaining:

Logged:

2d 6h 37m