Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-52068

String not sanitized before passing it to JavaScript in Repository

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.9.3
    • Fix Version/s: 2.9.5, 3.0.3
    • Component/s: Repositories
    • Labels:
    • Testing Instructions:
      Hide
      1. Set-up your Dropbox repository
      2. Edit the language string lang/en/repository cannotaccessparentwin and include single quotes, double quotes, special characters.
      3. Purge all caches
      4. Go to private files and select Dropbox in the file picker (logout if you're logged in)
      5. Login, and make sure:
        • you don't see any JS errors
        • the popup where you enter your Dropbox credentials closes automatically
      Show
      Set-up your Dropbox repository Edit the language string lang/en/repository cannotaccessparentwin and include single quotes, double quotes, special characters. Purge all caches Go to private files and select Dropbox in the file picker (logout if you're logged in) Login, and make sure : you don't see any JS errors the popup where you enter your Dropbox credentials closes automatically
    • Affected Branches:
      MOODLE_29_STABLE
    • Fixed Branches:
      MOODLE_29_STABLE, MOODLE_30_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-52068-master

      Description

      Because of erroneous Hebrew translation, which included quote marks, we found that in passing the string token to the JS alert function, https://github.com/moodle/moodle/blob/master/repository/repository_callback.php#L80, a JS error occurred which halted the authentication process between Moodle and Google Drive repository.

      We suggest that string passed to JavaScript should be sanitized.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              fred Frédéric Massart
              Reporter:
              leac Lea Cohen
              Peer reviewer:
              Dan Poltawski
              Integrator:
              David Monllaó
              Tester:
              Rajesh Taneja
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                14/Mar/16