Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-49304

Unbalanced html tags can make pages completely unusable

    XMLWordPrintable

Details

    • MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_38_STABLE, MOODLE_400_STABLE
    • MDL-49304-master-3
    • Hide

      Disable the atto html editor.
      Go to a course.
      Turn editing on.
      Edit one of the course's topics. (take note of the editsection.php URL)
      add the following bad HTML to the summary.

      </div></div></div>
      <script>
      <script type="text/javascript">
      <!--

      Save changes.

      Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.)

      With the patch the course will continue to display correctly.

      Show
      Disable the atto html editor. Go to a course. Turn editing on. Edit one of the course's topics. (take note of the editsection.php URL) add the following bad HTML to the summary. </div></div></div> <script> <script type="text/javascript"> <!-- Save changes. Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.) With the patch the course will continue to display correctly.
    • 2
    • International 4.0 - Sprint 2, International 4.0 - Sprint 3, International 4.0 - Sprint 4, International 4.0 - Sprint 5, International 4.0 - Sprint 6, International 4.0 - Sprint 7, Internationals - 3.11 Sprint 4, Internationals - 3.11 Sprint 5

    Description

      If you enter code in an editor (or textarea) with unbalanced div tags, script tags, or html comments, it can completely break page rendering.

      At some point, it was decided that teachers are inherently trusted because there are some things they have to be able to do that would give them XSS capability. Because of that, we do absolutely no sanitization of teacher content in places like course sections, and we very frequently run into problems where they paste content from somewhere and it has unbalanced tags that then makes it impossible to fix via the UI.

      Attachments

        Issue Links

          Activity

            People

              dobedobedoh Andrew Lyons
              emerrill Eric Merrill
              Tim Hunt Tim Hunt
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Adrian Greeve, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              17 Vote for this issue
              Watchers:
              29 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 6 hours, 37 minutes
                  2d 6h 37m