Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-77015

HTML in database field management page escaped in an unexpected way

XMLWordPrintable

    • MOODLE_401_STABLE
    • MOODLE_402_STABLE, MOODLE_403_STABLE
    • MDL-77015-402
    • MDL-77015-403
    • Hide
      1. Log in as admin
      2. Create a course
      3. Add a Database activity to the course
      4. Create three Short text fields, named as follows (Field name...):
        • First
        • O'Reilly
        • ab'"cd<b>ef</b>g
      5. Confirm the Manage fields table shows each field name exactly as entered
      6. Open the Default sort field select element
      7. Confirm each select option shows the field name exactly as entered
      8. Press Database > Add entry
        • First: Well
        • O'Reilly: Hello
        • ab'"cd<b>ef</b>g: There
      9. Switch database to Single view (if not already selected)
      10. Confirm each field is listed only once, alongside the text you added for each
      11. Switch database to List view
      12. Confirm each field is listed, alongside the text you added for each
      13. Open the Sort by select element
      14. Confirm each select option shows the field name exactly as entered
      15. Select Advanced search
      16. Confirm each field is listed there with search input
      17. Press Actions > Export entries
      18. Confirm each field is listed under Choose the fields you wish to export exactly as entered
      19. Navigate back to Fields in navigation
      20. Delete the "ab'"cd<b>ef</b>g"
      21. Confirm the subsequent confirmation step shows the field name exactly as entered
      Show
      Log in as admin Create a course Add a Database activity to the course Create three Short text fields, named as follows ( Field name ...): First O'Reilly ab'"cd<b>ef</b>g Confirm the Manage fields table shows each field name exactly as entered Open the Default sort field select element Confirm each select option shows the field name exactly as entered Press Database > Add entry First: Well O'Reilly: Hello ab'"cd<b>ef</b>g: There Switch database to Single view (if not already selected) Confirm each field is listed only once, alongside the text you added for each Switch database to List view Confirm each field is listed, alongside the text you added for each Open the Sort by select element Confirm each select option shows the field name exactly as entered Select Advanced search Confirm each field is listed there with search input Press Actions > Export entries Confirm each field is listed under Choose the fields you wish to export exactly as entered Navigate back to Fields in navigation Delete the "ab'"cd<b>ef</b>g" Confirm the subsequent confirmation step shows the field name exactly as entered

      1. Create a database activity
      2. Go to field and add a field. Enter html in field name and description like `ab'"cd<b>ef</b>g`
      3. Reset template
      4. Notice how incoherent this html code is handled :
        1. In the Manage fields page the html code will be trigerred (ef will be bold) in the table
        2. In the manage field page in the dropdown at the bottom, the html tag will be stripped/removed
        3. In the Database main page, the html tags will be displayed as text
        4. In the template page, the html will be triggered in the textarea (if code editor enabled) but only in the tag used to display the field value (surrounded by [[ and ]])
        5. In add/edit entry, the html tags will be displayed as text

      A solution would be to strip tag immediatly after saving.

      Putting this as "Could be a security issue" just in case. I don't think there is a security issue with the default moodle parameter (might be in rare case of permission to use html being removed to teacher ...). I also quickly looked at database permission and it doesn't seems possible to give ability to a non teacher to only manage field but not preset. Feel free to remove the "could be a security issue" tag.

        1. database_fields.png
          database_fields.png
          37 kB
        2. database_templates.png
          database_templates.png
          60 kB
        3. escapingmoddata_app.png
          escapingmoddata_app.png
          28 kB
        4. MDL-77015.png
          MDL-77015.png
          690 kB

            pholden Paul Holden
            degrangem DegrangeM
            Sara Arjona (@sarjona) Sara Arjona (@sarjona)
            Huong Nguyen Huong Nguyen
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours, 37 minutes
                3h 37m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.