-
Bug
-
Resolution: Fixed
-
Minor
-
3.8 regressions, 3.9 regressions
-
MOODLE_38_STABLE, MOODLE_39_STABLE
-
MDL-68423-master -
-
Moppies Kanban
Currently, if you input JavaScript in messaging, it is stripped on output, but is being executed locally (self-XSS) when the send button is pressed. A similar bug was fixed in Moodle 3.5.2 (MDL-61359), but this version appears to have been introduced in 3.8.
Steps to reproduce:
- Log in as a student.
- Open the messaging drawer, and open a conversation with yourself or another user.
- Paste the follwing into the messaging input:
<script>alert(123)</script> - Press send.
- See "123" appear in an alert popup on the sender's screen.
Note: This has not been flagged as a security issue, as it is only executed on the sender's side, and only when the message is initially sent - the sender never re-executes the script, and the message is escaped before being shown to the recipient.
Tested on 3.6, 3.7, 3.8 and master (3.9) - only 3.8 onwards appear to be affected.
(Originally reported on SF case 00066905)