Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71846

Inconsistent escaping of user/group names on group management page

XMLWordPrintable

    • MOODLE_310_STABLE, MOODLE_311_STABLE
    • MOODLE_310_STABLE, MOODLE_311_STABLE
    • Hide
      1. Login as admin
      2. Navigate to Users > Permissions > User policies in site administration
      3. Select ID number for Show user identity and save changes
      4. Create a new user with ID number:

        o'really<hi>"there"
        

      5. Create a new course
        • Group mode: Visible groups
      6. Enrol new user on course as a student
      7. Create two groups in the course
        • Test Group "One"
        • Test Group "Two"
      8. Go back to groups page
      9. Hover over each group
      10. Confirm that the tooltips read
        • Test Group "One" (0)
        • Test Group "Two" (0)
      11. Click on each group
      12. Confirm that the Members of label changes to
        • Members of: Test Group "One" (0)
        • Members of: Test Group "Two" (0)
      13. Add new user to each group
      14. After returning to the groups page
      15. Confirm the new user in the Members of: list contains complete ID number
      16. Hover over the new user
      17. Confirm the tooltip shows exactly the same as displayed in the list
      18. Click the other group in the Groups list
      19. Confirm the new user in the Members of: list contains complete ID number
      20. Hover over the new user
      21. Confirm the tooltip shows exactly the same as displayed in the list
      Show
      Login as admin Navigate to Users > Permissions > User policies in site administration Select ID number for Show user identity and save changes Create a new user with ID number: o'really<hi>"there" Create a new course Group mode: Visible groups Enrol new user on course as a student Create two groups in the course Test Group "One" Test Group "Two" Go back to groups page Hover over each group Confirm that the tooltips read Test Group "One" (0) Test Group "Two" (0) Click on each group Confirm that the Members of label changes to Members of: Test Group "One" (0) Members of: Test Group "Two" (0) Add new user to each group After returning to the groups page Confirm the new user in the Members of: list contains complete ID number Hover over the new user Confirm the tooltip shows exactly the same as displayed in the list Click the other group in the Groups list Confirm the new user in the Members of: list contains complete ID number Hover over the new user Confirm the tooltip shows exactly the same as displayed in the list

      On the course groups page, the tooltip for each group name isn't escaped, which can lead to badly formed HTML if the name contains quotes, and also leads to the Members of label being incomplete:

      The tooltip for the Members of list is only added in response to AJAX loading of the group members (navigating to this page after using Add/remove users doesn't include one). When the tooltip for each member is added, it is double escaped:

      sarjona & I found while reviewing MDL-69703

        1. 1.png
          1.png
          17 kB
        2. 2.png
          2.png
          31 kB
        3. MDL-71846_Step 10_1.png
          MDL-71846_Step 10_1.png
          97 kB
        4. MDL-71846_Step 10_2.png
          MDL-71846_Step 10_2.png
          112 kB
        5. MDL-71846_Step 12_1.png
          MDL-71846_Step 12_1.png
          83 kB
        6. MDL-71846_Step 12_2.png
          MDL-71846_Step 12_2.png
          83 kB
        7. MDL-71846_Step 19.png
          MDL-71846_Step 19.png
          89 kB
        8. MDL-71846_Step 21.png
          MDL-71846_Step 21.png
          120 kB
        9. MDL-71846_Step 15.png
          MDL-71846_Step 15.png
          89 kB
        10. MDL-71846_Step 17.png
          MDL-71846_Step 17.png
          112 kB

            pholden Paul Holden
            pholden Paul Holden
            Simey Lameze Simey Lameze
            Ilya Tregubov Ilya Tregubov
            Angelia Dela Cruz Angelia Dela Cruz
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours
                2h

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.