** Information type changed from Private Security to Public Security ** Changed in: mahara/1.5 Status: Fix Committed => Fix Released
** Changed in: mahara/1.6 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1153423 Title: Stored XSS in TinyMCE editor Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: Fix Released Status in Mahara 1.6 series: Fix Released Status in Mahara 1.7 series: Fix Committed Bug description: Reported by two independent researchers in different locations. How to reproduce: - Go to a page with a TinyMCE editor (such as /artefact/internal/ -> Introduction) - Click the TinyMCE "HTML" button - Enter payload of something like "<img src=x onmouseover=alert(1)>" - Save page - Reload, hover over broken image, notice the alert The XSS is stored only for the editing part of the TinyMCE editor. I couldn't quickly find any location where it was not escaped in the view section (which is blocktype dependant, the above example would be the profileinfo blocktype from artefact/internal). The fix is to escape the value sent to tinymce in lib/form/elements/wysiwyg.php, patch forthcoming. The other location reported was in a new page, the "Page description" input. The same patch fixes this. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1153423/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp