** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6182
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1744789 Title: Avoid relying on TinyMCE code stripping alone Status in Mahara: Fix Released Status in Mahara 16.10 series: Fix Released Status in Mahara 17.04 series: Fix Released Status in Mahara 17.10 series: Fix Released Status in Mahara 18.04 series: Fix Released Status in Mahara 18.10 series: Fix Committed Bug description: TinyMCE will strip bad strings from input, eg <script> tags but we must make sure we don't just rely on that alone. We should also clean up input on the server/php end as one can create their own packet of POST data containing bad content to hit the server with. This can be seen in the Wall plugin where we can make a wallpost POST package have a bad 'text' value and have it save unaltered. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1744789/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
