Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71846

Inconsistent escaping of user/group names on group management page

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_310_STABLE, MOODLE_311_STABLE
    • Fixed Branches:
      MOODLE_310_STABLE, MOODLE_311_STABLE
    • Pull 3.10 Branch:
      MDL-71846-310
    • Pull 3.11 Branch:
      MDL-71846-311
    • Pull Master Branch:
    • Testing Instructions:
      Hide
      1. Login as admin
      2. Navigate to Users > Permissions > User policies in site administration
      3. Select ID number for Show user identity and save changes
      4. Create a new user with ID number:

        o'really<hi>"there"
        

      5. Create a new course
        • Group mode: Visible groups
      6. Enrol new user on course as a student
      7. Create two groups in the course
        • Test Group "One"
        • Test Group "Two"
      8. Go back to groups page
      9. Hover over each group
      10. Confirm that the tooltips read
        • Test Group "One" (0)
        • Test Group "Two" (0)
      11. Click on each group
      12. Confirm that the Members of label changes to
        • Members of: Test Group "One" (0)
        • Members of: Test Group "Two" (0)
      13. Add new user to each group
      14. After returning to the groups page
      15. Confirm the new user in the Members of: list contains complete ID number
      16. Hover over the new user
      17. Confirm the tooltip shows exactly the same as displayed in the list
      18. Click the other group in the Groups list
      19. Confirm the new user in the Members of: list contains complete ID number
      20. Hover over the new user
      21. Confirm the tooltip shows exactly the same as displayed in the list
      Show
      Login as admin Navigate to Users > Permissions > User policies in site administration Select ID number for Show user identity and save changes Create a new user with ID number: o'really<hi>"there" Create a new course Group mode: Visible groups Enrol new user on course as a student Create two groups in the course Test Group "One" Test Group "Two" Go back to groups page Hover over each group Confirm that the tooltips read Test Group "One" (0) Test Group "Two" (0) Click on each group Confirm that the Members of label changes to Members of: Test Group "One" (0) Members of: Test Group "Two" (0) Add new user to each group After returning to the groups page Confirm the new user in the Members of: list contains complete ID number Hover over the new user Confirm the tooltip shows exactly the same as displayed in the list Click the other group in the Groups list Confirm the new user in the Members of: list contains complete ID number Hover over the new user Confirm the tooltip shows exactly the same as displayed in the list

      Description

      On the course groups page, the tooltip for each group name isn't escaped, which can lead to badly formed HTML if the name contains quotes, and also leads to the Members of label being incomplete:

      The tooltip for the Members of list is only added in response to AJAX loading of the group members (navigating to this page after using Add/remove users doesn't include one). When the tooltip for each member is added, it is double escaped:

      Sara Arjona (@sarjona) & I found while reviewing MDL-69703

        Attachments

        1. 1.png
          1.png
          17 kB
        2. 2.png
          2.png
          31 kB
        3. MDL-71846_Step 10_1.png
          MDL-71846_Step 10_1.png
          97 kB
        4. MDL-71846_Step 10_2.png
          MDL-71846_Step 10_2.png
          112 kB
        5. MDL-71846_Step 12_1.png
          MDL-71846_Step 12_1.png
          83 kB
        6. MDL-71846_Step 12_2.png
          MDL-71846_Step 12_2.png
          83 kB
        7. MDL-71846_Step 15.png
          MDL-71846_Step 15.png
          89 kB
        8. MDL-71846_Step 17.png
          MDL-71846_Step 17.png
          112 kB
        9. MDL-71846_Step 19.png
          MDL-71846_Step 19.png
          89 kB
        10. MDL-71846_Step 21.png
          MDL-71846_Step 21.png
          120 kB

          Issue Links

            Activity

              People

              Assignee:
              pholden Paul Holden
              Reporter:
              pholden Paul Holden
              Peer reviewer:
              Simey Lameze Simey Lameze
              Integrator:
              Ilya Tregubov Ilya Tregubov
              Tester:
              Angelia Dela Cruz Angelia Dela Cruz
              Participants:
              Component watchers:
              Andrew Lyons, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                8/Nov/21

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours
                  2h