[Mahara-contributors] [Bug 1744789] A change has been merged

Thu, 05 Apr 2018 13:32:20 -0700 

Reviewed:  https://reviews.mahara.org/8786
Committed: 
https://git.mahara.org/mahara/mahara/commit/4037f9bf730cfb995b89db11fe93d83b06bf6fc8
Submitter: Robert Lyon (robe...@catalyst.net.nz)
Branch:    17.04_STABLE

commit 4037f9bf730cfb995b89db11fe93d83b06bf6fc8
Author: Robert Lyon <robe...@catalyst.net.nz>
Date:   Thu Jan 18 10:43:37 2018 +1300

Security Bug 1744789: Remove bad code from wallpost post

We currently escape post content before submission
But we also need to do cleaning on php side incase hacker posts directly

Also needing to clean up annotations with bad html in their
descriptions and resume composite fields with bad html in their
descriptions

behatnotneeded

Change-Id: I8c7def1acad7b6692a96b2ba065c23abcd69cfb5
Signed-off-by: Robert Lyon <robe...@catalyst.net.nz>
(cherry picked from commit cff112250a5710b7a897e0f392a429cd29779ecc)
(cherry picked from commit 8a8b21e4014137680da34d00af76c608c3f8b222)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1744789

Title:
  Avoid relying on TinyMCE code stipping alone

Status in Mahara:
  Fix Committed
Status in Mahara 16.10 series:
  Fix Committed
Status in Mahara 17.04 series:
  Fix Committed
Status in Mahara 17.10 series:
  Fix Committed
Status in Mahara 18.04 series:
  Fix Committed
Status in Mahara 18.10 series:
  Fix Committed

Bug description:
  TinyMCE will strip bad strings from input, eg <script> tags but we
  must make sure we don't just rely on that alone. We should also clean
  up input on the server/php end as one can create their own packet of
  POST data containing bad content to hit the server with.

  This can be seen in the Wall plugin where we can make a wallpost POST
  package have a bad 'text' value and have it save unaltered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1744789/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to