** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1719472
Title: User autocomplete selector in Mail composer not escaping the name Status in Mahara: Fix Released Status in Mahara 16.04 series: In Progress Status in Mahara 16.10 series: In Progress Status in Mahara 17.04 series: In Progress Status in Mahara 17.10 series: Fix Released Bug description: This means that a user can set a bad name and compromise another user To reproduce: *) Login as "user1" *) Click on "Main menu" - "Content" - "Profile" - "About me" *) Insert at "First name" or "Last name" or "Display name": <script>alert(1)</script> *) Save with "Save profile" *) Click on "User menu" - "0 unread" - "Compose" *) Send a message to another user, for example: Recipients: user2 Subject: Hello Message: Please reply *) Send the message with "Send message" *) Logout as "user1" *) Login as "user2" *) Open the received message in the dashboard ("Inbox") *) Click on "Reply" *) The alert dialog appears To fix: Normally when we show a user's name to screen we filter it via hsc() But in this case the name is being fetched by the autocomplete pieform element via the translate_ids_to_names() function without being escaped. So we need to escape it before returning the name To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1719472/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp