[MDL-64240] Forum post word count not reflecting the size of some posts as they are displayed to users - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.5.2, 3.6, 3.7
Fix Version/s: 3.5.5, 3.6.3
Component/s: Forum, Libraries
Labels:
- ci
- release_notes
- triaged

Affected Branches:
MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE
Fixed Branches:
MOODLE_35_STABLE, MOODLE_36_STABLE
Pull from Repository:
git://github.com/mickhawkins/moodle.git
Pull Master Branch:
~~MDL-64240~~-master
Pull Master Diff URL:
https://github.com/mickhawkins/moodle/compare/33a388eff7...MDL-64240-master

Testing Instructions:

Hide

NOTE: You need to be able to access database table content to test this issue.

Testing that when posts, edits and replies are posted, script content is stripped before being written to the database, and content loads correctly. Also testing word count works as expected.

Pre-requisites and setup

You need to be able to access database table content to test this issue.
You need a Moodle site with a course with a forum activity created.
Log in as admin, and open the forum.
Click the cog (actions menu) on the right, and select 'Edit settings'.
Expand 'Attachments and word count', and set 'Display word count' to 'Yes'.
Click 'Save and Display'.

Testing
You should still be logged in as admin, and on the forum summary page (from the last step of setup).

Click 'Add a new discussion topic'.

Add a discussion topic as follows:
Subject: "What do".
In message, click 'show more buttons' (the top left icon in Atto), then click the HTML button (bottom right icon in Atto). Paste in the following text:

 <p onclick="alert('boop');">Snoot is booped</p>

 <script>alert('Boop the snoot');</script>

 <img alt="Boop the Snoot." src="https://proxy.duckduckgo.com/iu/?u=http%3A%2F%2Fwww.geekfill.com%2Fwp-content%2Fuploads%2F2015%2F08%2FBoop-the-Snoot.jpg&f=1">

Click 'Post to forum'.
Open the database for your Moodle site, and access the mdl_forum_posts table.

Find the most recent post (the one you just created), CONFIRM only the onclick event on the paragraph, and the <script> content have been removed, so the message field is as follows:

<p>Snoot is booped</p>

<img alt="Boop the Snoot." src="https://proxy.duckduckgo.com/iu/?u=http%3A%2F%2Fwww.geekfill.com%2Fwp-content%2Fuploads%2F2015%2F08%2FBoop-the-Snoot.jpg&amp;f=1" />

Return to the forum and open the 'What do' post.
CONFIRM the post is visible, with 'Snoot is booped' and the image both appearing.
CONFIRM The word count below the image says '3 words'.
Click 'Edit', open the HTML editor, and overwrite the whole post with the original content from step 2 above, then save.
CONFIRM the post still appears correct and CONFIRM the word count still says '3 words'.
Go back to the database and refresh your view of mdl_forum_posts.
CONFIRM the content of 'message' in the post still matches the example in step 5.
Return to the forum post in Moodle.
Click 'Reply'.
Open the HTML editor and paste in the content from step 2, and click 'Post to forum'.
Go back to the database and refresh your view of mdl_forum_posts.
In the row for the new reply post, CONFIRM the message content matches the example in step 5.
Return to the forum post in Moodle.
CONFIRM the content in the reply appears correctly and CONFIRM the word count still says '3 words'.

Show

NOTE: You need to be able to access database table content to test this issue. Testing that when posts, edits and replies are posted, script content is stripped before being written to the database, and content loads correctly. Also testing word count works as expected. Pre-requisites and setup You need to be able to access database table content to test this issue. You need a Moodle site with a course with a forum activity created. Log in as admin, and open the forum. Click the cog (actions menu) on the right, and select 'Edit settings'. Expand 'Attachments and word count', and set 'Display word count' to 'Yes'. Click 'Save and Display'. Testing You should still be logged in as admin, and on the forum summary page (from the last step of setup). Click 'Add a new discussion topic'. Add a discussion topic as follows: Subject: "What do". In message , click 'show more buttons' (the top left icon in Atto), then click the HTML button (bottom right icon in Atto). Paste in the following text: <p onclick="alert('boop');">Snoot is booped</p> <script>alert('Boop the snoot');</script> <img alt="Boop the Snoot." src="https://proxy.duckduckgo.com/iu/?u=http%3A%2F%2Fwww.geekfill.com%2Fwp-content%2Fuploads%2F2015%2F08%2FBoop-the-Snoot.jpg&f=1"> Click 'Post to forum'. Open the database for your Moodle site, and access the mdl_forum_posts table. Find the most recent post (the one you just created), CONFIRM only the onclick event on the paragraph, and the <script> content have been removed, so the message field is as follows: <p>Snoot is booped</p> <img alt="Boop the Snoot." src="https://proxy.duckduckgo.com/iu/?u=http%3A%2F%2Fwww.geekfill.com%2Fwp-content%2Fuploads%2F2015%2F08%2FBoop-the-Snoot.jpg&f=1" /> Return to the forum and open the 'What do' post. CONFIRM the post is visible, with 'Snoot is booped' and the image both appearing. CONFIRM The word count below the image says '3 words'. Click 'Edit', open the HTML editor, and overwrite the whole post with the original content from step 2 above, then save. CONFIRM the post still appears correct and CONFIRM the word count still says '3 words'. Go back to the database and refresh your view of mdl_forum_posts. CONFIRM the content of 'message' in the post still matches the example in step 5. Return to the forum post in Moodle. Click 'Reply'. Open the HTML editor and paste in the content from step 2, and click 'Post to forum'. Go back to the database and refresh your view of mdl_forum_posts. In the row for the new reply post, CONFIRM the message content matches the example in step 5. Return to the forum post in Moodle. CONFIRM the content in the reply appears correctly and CONFIRM the word count still says '3 words'.

Description

Some students make forum posts in Internet Explorer and search for images using BING. Then they drag and drop (or copy/paste) the images from BING into the forum text box and save it.

The forum posts appear to contain some javascript in addition to the raw image data. This causes the count_words internal function in Moodle to report a much larger number of words.

If you edit/save the post, the code is cleaned by Moodle and the word count returns to "normal", but the initial save, "cleaning" is not done by Moodle which may be a possible security issue.

Here is a link to an example post-message copied from the database directly.

Attachments

Issue Links

caused a regression

MDL-78505 Markdown text format ignores $options['noclean'] and fix for mangling of Markdown in editors

Closed

MDL-78525 count_words() and count_letters() should format text before counting to match display logic

Closed

Activity

People

Assignee:: Michael Hawkins

Reporter:: Thom Rawson

Peer reviewer:: Peter Dias

Integrator:: Eloy Lafuente (stronk7)

Tester:: Simey Lameze

Participants:: CiBoT, Eloy Lafuente (stronk7), Michael Hawkins, Peter Dias, Petr Skoda, Simey Lameze, Thom Rawson

Component watchers:: Adrian Greeve, Ilya Tregubov, Kevin Percy, Mathew May, Mihail Geshoski, Shamim Rezaie, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 28/Nov/18 8:27 AM

Updated:: 20/Jun/23 2:47 PM

Resolved:: 25/Jan/19 12:08 AM

Fix Release Date:: 11/Mar/19