[MDL-49304] Unbalanced html tags can make pages completely unusable - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Reopened
Priority: Minor
Resolution: Unresolved
Affects Version/s: 2.7.7, 2.8.5, 3.8.2
Fix Version/s: None
Component/s: General, HTML Editor (Atto)
Labels:

Testing Instructions:

Hide

Disable the atto html editor.
Go to a course.
Turn editing on.
Edit one of the course's topics. (take note of the editsection.php URL)
add the following bad HTML to the summary.

</div></div></div>
<script>
<script type="text/javascript">
<!--

Save changes.

Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.)

With the patch the course will continue to display correctly.

Show
Disable the atto html editor. Go to a course. Turn editing on. Edit one of the course's topics. (take note of the editsection.php URL) add the following bad HTML to the summary. </div></div></div> <script> <script type="text/javascript"> <!-- Save changes. Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.) With the patch the course will continue to display correctly.
Affected Branches:
MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_38_STABLE
Epic Link:
Atto accessibility
Pull from Repository:
git://github.com/andrewnicols/moodle.git
Pull 3.10 Branch:
MDL-49304-310-3
Pull 3.10 Diff URL:
https://github.com/andrewnicols/moodle/compare/611399214b...MDL-49304-310-3
Pull Master Branch:
MDL-49304-master-3
Pull Master Diff URL:
https://github.com/andrewnicols/moodle/compare/f852aa8ad5...MDL-49304-master-3

Story Points:
2
Sprint:
International 4.0 - Sprint 2, International 4.0 - Sprint 3, International 4.0 - Sprint 4, International 4.0 - Sprint 5, International 4.0 - Sprint 6, International 4.0 - Sprint 7, Internationals - 3.11 Sprint 4, Internationals - 3.11 Sprint 5

Description

If you enter code in an editor (or textarea) with unbalanced div tags, script tags, or html comments, it can completely break page rendering.

At some point, it was decided that teachers are inherently trusted because there are some things they have to be able to do that would give them XSS capability. Because of that, we do absolutely no sanitization of teacher content in places like course sections, and we very frequently run into problems where they paste content from somewhere and it has unbalanced tags that then makes it impossible to fix via the UI.

Attachments

Issue Links

has been marked as being related by

MDL-52724 Atto does not generate UL tags when pasting LI tags

Development in progress

MDL-47002 Atto cleaning sometimes leaves un-closed html comments

Closed

is duplicated by

MDL-70636 Grid Course Layout: Incorrect list elements in text field mess up entire course structure

Closed

Activity

People

Assignee:: Andrew Nicols

Reporter:: Eric Merrill

Peer reviewer:: Tim Hunt

Integrator:: Eloy Lafuente (stronk7)

Participants:: Andrew Nicols, cameron1729, CiBoT, Damyon Wiese, Dan Poltawski, David Monllaó, Eloy Lafuente (stronk7), Eric Merrill, Jetha Chan, Marina Glancy, Matthew G. Switlik, Nicolas Dunand, Shamim Rezaie, Simey Lameze, Tim Hunt

Component watchers:: Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze

Votes:: 9 Vote for this issue

Watchers:: 24 Start watching this issue

Dates

Created:: 26/Feb/15 1:28 PM

Updated:: 6 hours ago

Time Tracking

Estimated:

Remaining:

Logged:

2d 6h 37m