Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-77015

Incoherent escaping of html in database field managment page





      1. Create a database activity
      2. Go to field and add a field. Enter html in field name and description like `ab'"cd<b>ef</b>g`
      3. Reset template
      4. Notice how incoherent this html code is handled :
        1. In the Manage fields page the html code will be trigerred (ef will be bold) in the table
        2. In the manage field page in the dropdown at the bottom, the html tag will be stripped/removed
        3. In the Database main page, the html tags will be displayed as text
        4. In the template page, the html will be triggered in the textarea (if code editor enabled) but only in the tag used to display the field value (surrounded by [[ and ]])
        5. In add/edit entry, the html tags will be displayed as text

      A solution would be to strip tag immediatly after saving.

      Putting this as "Could be a security issue" just in case. I don't think there is a security issue with the default moodle parameter (might be in rare case of permission to use html being removed to teacher ...). I also quickly looked at database permission and it doesn't seems possible to give ability to a non teacher to only manage field but not preset. Feel free to remove the "could be a security issue" tag.


        Issue Links



              Unassigned Unassigned
              degrangem DegrangeM
              Amaia Anabitarte, Carlos Escobedo, Laurent David, Mikel Martín Corrales, Sabina Abellan, Sara Arjona (@sarjona)
              0 Vote for this issue
              2 Start watching this issue