Uploaded image for project: 'Moodle app'
  1. Moodle app
  2. MOBILE-3733

Self-XSS in DM (Mobile app)

    • Hide

      This issue only needs to be tested in 1 device.

      We'll only test the fix in messaging because the code is the same in all the places that were fixed and it requires a bunch of time to test them all.

      1. In the app, open a message discussion in online.
      2. Send the following message: <img src="x" onerror="alert(1)">. Check that you don't see any popup with the number "1".
      3. Go offline and send the message again. Check that you don't see any popup with the number "1".
      4. Optional: if you want to test any of the other features mentioned in the comments feel free to do so, but I already tested them. To do so, you'll need to generate data in offline and check that the popup isn't seen. 
      Show
      This issue only needs to be tested in 1 device. We'll only test the fix in messaging because the code is the same in all the places that were fixed and it requires a bunch of time to test them all. In the app, open a message discussion in online. Send the following message: <img src="x" onerror="alert(1)">. Check that you don't see any popup with the number "1". Go offline and send the message again. Check that you don't see any popup with the number "1". Optional: if you want to test any of the other features mentioned in the comments feel free to do so, but I already tested them. To do so, you'll need to generate data in offline and check that the popup isn't seen. 
    • MOODLE_39_STABLE
    • Moodle Apps Sprint 2025-I1.4

      There is a way to self-xss in the mobile app (made on Android)

      Steps:

      1. Open dm with anybody (myself in my case)
      2. Send "<img src=x onerror=alert(1)>"
      3. It alert : "1"

      (Reopen the DM doesn't reexecute the script, it only work on the sender at the sending)

      It maybe can be injected with other way

            dpalou Dani Palou
            djdjdjf djdjdjf
            Pau Ferrer Pau Ferrer
            Isabel Renedo Rouco Isabel Renedo Rouco
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 weeks, 1 day, 1 hour, 51 minutes
                3w 1d 1h 51m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.