Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78649

Param cleaning not applied to Communication Room Name and Room Topic

XMLWordPrintable

    • MOODLE_402_STABLE
    • MOODLE_403_STABLE
    • MDL-78649-master
    • Hide
      1. Login as admin
      2. Navigate to Site Admin >> Development >> Experimental settings
      3. Tick the Enable communication subsystem checkbox
      4. Navigate to Site Admin >> Plugins >> Communication >> Manage communication providers
      5. Ensure the Matrix is enabled
      6. Create a new course
      7. Click the More menu on the course home page and then the Communication link.
      8. Select "Matrix" in the Communication service selection box.
      9. Verify you will see two new inputs: Room name and Room topic
      10. Specify the Room name with: ABC<script>alert('roomname');</script>DEF
      11. Specify the Room topic with: ABC<script>alert('roomtopic');</script>DEF
      12. Click the Save Changes button
      13. Click the More menu on the course home page and then the Communication link.
      14. Verify that the Room name is: ABCalert('roomname');DEF
      15. Verify that the Room topic is: ABCalert('roomtopic');DEF
      Show
      Login as admin Navigate to Site Admin >> Development >> Experimental settings Tick the Enable communication subsystem checkbox Navigate to Site Admin >> Plugins >> Communication >> Manage communication providers Ensure the Matrix is enabled Create a new course Click the More menu on the course home page and then the Communication link. Select "Matrix" in the Communication service selection box. Verify you will see two new inputs: Room name and Room topic Specify the Room name with: ABC<script>alert('roomname');</script>DEF Specify the Room topic with: ABC<script>alert('roomtopic');</script>DEF Click the Save Changes button Click the More menu on the course home page and then the Communication link. Verify that the Room name is: ABCalert('roomname');DEF Verify that the Room topic is: ABCalert('roomtopic');DEF
    • 6
    • Team Hedgehog 2023 Sprint 3.2, Team Hedgehog 2023 Sprint 3.3

      It has been detected that the element types of PARAM_TEXT, that are set on the communication provider's form fields, are not being identified at the time of param cleaning.

      When cleaning, the types are not yet set for communicationroomname and matrixroomtopic. This means that the default is applied of 'raw'. This is not ideal and some refactoring may be required to the communication api to ensure the provider form fields have their element types respected.

      To reproduce issue:

      1. Ensure the experimental communication subsystem is enabled.
      2. Go to a course and edit the settings.
      3. Scroll down to the Communication section and enter something like ABC<script>alert('hello');</script>DEF into both 'Room name' and 'Room topic'
      4. After saving the form, you would expect the params to be cleaned. You can see correct cleaning if you enter a similar value into the 'Course full name' field.

            meirza.arson@moodle.com Meirza
            david.woloszyn@moodle.com David Woloszyn
            David Woloszyn David Woloszyn
            Andrew Lyons Andrew Lyons
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 days, 1 hour, 7 minutes
                2d 1h 7m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.