Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78649

Param cleaning not applied to Communication Room Name and Room Topic

    XMLWordPrintable

Details

    • MOODLE_402_STABLE
    • MOODLE_403_STABLE
    • MDL-78649-master
    • Hide
      1. Login as admin
      2. Navigate to Site Admin >> Development >> Experimental settings
      3. Tick the Enable communication subsystem checkbox
      4. Navigate to Site Admin >> Plugins >> Communication >> Manage communication providers
      5. Ensure the Matrix is enabled
      6. Create a new course
      7. Click the More menu on the course home page and then the Communication link.
      8. Select "Matrix" in the Communication service selection box.
      9. Verify you will see two new inputs: Room name and Room topic
      10. Specify the Room name with: ABC<script>alert('roomname');</script>DEF
      11. Specify the Room topic with: ABC<script>alert('roomtopic');</script>DEF
      12. Click the Save Changes button
      13. Click the More menu on the course home page and then the Communication link.
      14. Verify that the Room name is: ABCalert('roomname');DEF
      15. Verify that the Room topic is: ABCalert('roomtopic');DEF
      Show
      Login as admin Navigate to Site Admin >> Development >> Experimental settings Tick the Enable communication subsystem checkbox Navigate to Site Admin >> Plugins >> Communication >> Manage communication providers Ensure the Matrix is enabled Create a new course Click the More menu on the course home page and then the Communication link. Select "Matrix" in the Communication service selection box. Verify you will see two new inputs: Room name and Room topic Specify the Room name with: ABC<script>alert('roomname');</script>DEF Specify the Room topic with: ABC<script>alert('roomtopic');</script>DEF Click the Save Changes button Click the More menu on the course home page and then the Communication link. Verify that the Room name is: ABCalert('roomname');DEF Verify that the Room topic is: ABCalert('roomtopic');DEF
    • 6
    • Team Hedgehog 2023 Sprint 3.2, Team Hedgehog 2023 Sprint 3.3

    Description

      It has been detected that the element types of PARAM_TEXT, that are set on the communication provider's form fields, are not being identified at the time of param cleaning.

      When cleaning, the types are not yet set for communicationroomname and matrixroomtopic. This means that the default is applied of 'raw'. This is not ideal and some refactoring may be required to the communication api to ensure the provider form fields have their element types respected.

      To reproduce issue:

      1. Ensure the experimental communication subsystem is enabled.
      2. Go to a course and edit the settings.
      3. Scroll down to the Communication section and enter something like ABC<script>alert('hello');</script>DEF into both 'Room name' and 'Room topic'
      4. After saving the form, you would expect the params to be cleaned. You can see correct cleaning if you enter a similar value into the 'Course full name' field.

      Attachments

        Issue Links

          Activity

            People

              meirza.arson@moodle.com Meirza
              david.woloszyn@moodle.com David Woloszyn
              David Woloszyn David Woloszyn
              Andrew Lyons Andrew Lyons
              Ron Carl Alfon Yu Ron Carl Alfon Yu
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 1 hour, 7 minutes
                  2d 1h 7m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.