Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66206

Insufficient HTML encoding in Participants filter display

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Not a bug
    • Affects Version/s: 3.5.7
    • Fix Version/s: None
    • Component/s: User management
    • Labels:
      None
    • Affected Branches:
      MOODLE_35_STABLE

      Description

      When searching on the participants page
      https://moodle.mydomain.com/user/index.php?contextid=1234546&id=56154&perpage=20
      the search filters appear to be insufficiency HTML encoded:

      E.g. search for "lf0p9fq082><" without quotes – the opening angle bracket is stripped, but the closing angle bracket is not HTML encoded

       

      E.g. search for "Gilbert&Sullivan" without quotes - the & is reproduced as-is in (a) the span[role=listitem].text() and (b) the select#unified-filters>option[selected="selected"]

      <span role="listitem" data-value="Gilbert&amp;amp;Sullivan" aria-selected="true" class="tag tag-info mb-3 mr-1" style="font-size: 100%">
                  <span aria-hidden="true">× </span>Gilbert&amp;Sullivan
      </span>
      ...
      <option value="Gilbert&amp;amp;Sullivan" selected="selected">Gilbert&amp;Sullivan</option>
      

      This suggests the HTML entity was not encoded in all places.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mwebster Mark van Hoek
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: