[MDL-49304] Unbalanced html tags can make pages completely unusable - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Reopened
Priority: Minor
Resolution: Unresolved
Affects Version/s: 2.7.7, 2.8.5
Fix Version/s: None
Component/s: General, HTML Editor (Atto)
Labels:
- triaged

Testing Instructions:

Hide

Disable the atto html editor.
Go to a course.
Turn editing on.
Edit one of the course's topics. (take note of the editsection.php URL)
add the following bad HTML to the summary.

</div></div></div>
<script>
<script type="text/javascript">
<!--

Save changes.

Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.)

With the patch the course will continue to display correctly.

Show
Disable the atto html editor. Go to a course. Turn editing on. Edit one of the course's topics. (take note of the editsection.php URL) add the following bad HTML to the summary. </div></div></div> <script> <script type="text/javascript"> <!-- Save changes. Without the patch the course will no longer display correctly. The edit icon for the topic that was just edited is no longer visible. (You will have to use the previously noted URL to manually fix the HTML via the interface or edit it in the DB.) With the patch the course will continue to display correctly.
Affected Branches:
MOODLE_27_STABLE, MOODLE_28_STABLE
Pull from Repository:
git://github.com/SWiT/moodle.git
Pull Master Branch:
MDL-49304-master
Pull Master Diff URL:
https://github.com/SWiT/moodle/compare/d755125...MDL-49304-master

Description

If you enter code in an editor (or textarea) with unbalanced div tags, script tags, or html comments, it can completely break page rendering.

At some point, it was decided that teachers are inherently trusted because there are some things they have to be able to do that would give them XSS capability. Because of that, we do absolutely no sanitization of teacher content in places like course sections, and we very frequently run into problems where they paste content from somewhere and it has unbalanced tags that then makes it impossible to fix via the UI.

Attachments

Issue Links

has been marked as being related by

MDL-47002 Atto cleaning sometimes leaves un-closed html comments

Closed

Activity

People

Assignee:

Matthew G. Switlik

Reporter:

Eric Merrill

Peer reviewer:

Simey Lameze

Participants:

Andrew Nicols, CiBoT, Damyon Wiese, Dan Poltawski, David Monllaó, Eloy Lafuente (stronk7), Eric Merrill, Jetha Chan, Marina Glancy, Matthew G. Switlik, Nicolas Dunand, Simey Lameze, Tim Hunt

Component watchers:

Jake Dallimore, Jun Pataleta, Ryan Wyllie, Andrew Nicols, Mathew May, Michael Hawkins, Shamim Rezaie, Simey Lameze

Votes:

5 Vote for this issue

Watchers:

13 Start watching this issue

Dates

Created:

26/Feb/15 1:28 PM

Updated:

06/Jan/16 9:31 PM