[Mahara-contributors] [Bug 1472439] Re: XSS in "add to watchlist" link on artefact detail screen
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000146 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1472439 Title: XSS in "add to watchlist" link on artefact detail screen Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Won't Fix Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Released Bug description: Issue reported by Yuji Tounai through secur...@mahara.org On artefact detail screens, when we you click on the "add to watchlist" link, we use AJAX to update the link to read "remove from watchlist". But, we are not properly escaping the page title in that AJAX, which makes it possible to execute Javascript that has been placed in the page title. To replicate: 1. Create a portfolio Page 2. Give the page this title: "> 3. Put an image block in the page. 4. View the page in display mode. 5. Click on the link to view the artefact detail screen for the image 6. At the bottom of the artefact detail screen, click on the link that reads "Add page "">" to watchlist" or "Remove page "">" to watchlist" Expected result: The page should be added or removed from your watchlist, and the link title should show the HTML-escaped version of the page title. Actual result: The page is added or removed from your watchlist, but the link title is not HTML-escaped and Javascript "alert(location)" executes. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1472439/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1472439] Re: XSS in "add to watchlist" link on artefact detail screen
** Changed in: mahara/15.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1472439 Title: XSS in "add to watchlist" link on artefact detail screen Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Won't Fix Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Released Bug description: Issue reported by Yuji Tounai through secur...@mahara.org On artefact detail screens, when we you click on the "add to watchlist" link, we use AJAX to update the link to read "remove from watchlist". But, we are not properly escaping the page title in that AJAX, which makes it possible to execute Javascript that has been placed in the page title. To replicate: 1. Create a portfolio Page 2. Give the page this title: "> 3. Put an image block in the page. 4. View the page in display mode. 5. Click on the link to view the artefact detail screen for the image 6. At the bottom of the artefact detail screen, click on the link that reads "Add page "">" to watchlist" or "Remove page "">" to watchlist" Expected result: The page should be added or removed from your watchlist, and the link title should show the HTML-escaped version of the page title. Actual result: The page is added or removed from your watchlist, but the link title is not HTML-escaped and Javascript "alert(location)" executes. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1472439/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1472439] Re: XSS in "add to watchlist" link on artefact detail screen
** Description changed: + Issue reported by Yuji Tounai through secur...@mahara.org + On artefact detail screens, when we you click on the "add to watchlist" link, we use AJAX to update the link to read "remove from watchlist". But, we are not properly escaping the page title in that AJAX, which makes it possible to execute Javascript that has been placed in the page title. To replicate: 1. Create a portfolio Page 2. Give the page this title: "> 3. Put an image block in the page. 4. View the page in display mode. 5. Click on the link to view the artefact detail screen for the image 6. At the bottom of the artefact detail screen, click on the link that reads "Add page "">" to watchlist" or "Remove page "">" to watchlist" Expected result: The page should be added or removed from your watchlist, and the link title should show the HTML-escaped version of the page title. Actual result: The page is added or removed from your watchlist, but the link title is not HTML-escaped and Javascript "alert(location)" executes. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1472439 Title: XSS in "add to watchlist" link on artefact detail screen Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Won't Fix Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Committed Bug description: Issue reported by Yuji Tounai through secur...@mahara.org On artefact detail screens, when we you click on the "add to watchlist" link, we use AJAX to update the link to read "remove from watchlist". But, we are not properly escaping the page title in that AJAX, which makes it possible to execute Javascript that has been placed in the page title. To replicate: 1. Create a portfolio Page 2. Give the page this title: "> 3. Put an image block in the page. 4. View the page in display mode. 5. Click on the link to view the artefact detail screen for the image 6. At the bottom of the artefact detail screen, click on the link that reads "Add page "">" to watchlist" or "Remove page "">" to watchlist" Expected result: The page should be added or removed from your watchlist, and the link title should show the HTML-escaped version of the page title. Actual result: The page is added or removed from your watchlist, but the link title is not HTML-escaped and Javascript "alert(location)" executes. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1472439/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1472439] Re: XSS in "add to watchlist" link on artefact detail screen
** Changed in: mahara/15.04 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1472439 Title: XSS in "add to watchlist" link on artefact detail screen Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Won't Fix Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Committed Bug description: On artefact detail screens, when we you click on the "add to watchlist" link, we use AJAX to update the link to read "remove from watchlist". But, we are not properly escaping the page title in that AJAX, which makes it possible to execute Javascript that has been placed in the page title. To replicate: 1. Create a portfolio Page 2. Give the page this title: "> 3. Put an image block in the page. 4. View the page in display mode. 5. Click on the link to view the artefact detail screen for the image 6. At the bottom of the artefact detail screen, click on the link that reads "Add page "">" to watchlist" or "Remove page "">" to watchlist" Expected result: The page should be added or removed from your watchlist, and the link title should show the HTML-escaped version of the page title. Actual result: The page is added or removed from your watchlist, but the link title is not HTML-escaped and Javascript "alert(location)" executes. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1472439/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1472439] Re: XSS in "add to watchlist" link on artefact detail screen
** Changed in: mahara/1.9 Status: Fix Committed => Fix Released ** Changed in: mahara/1.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1472439 Title: XSS in "add to watchlist" link on artefact detail screen Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Won't Fix Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Committed Status in Mahara 15.10 series: Fix Committed Bug description: On artefact detail screens, when we you click on the "add to watchlist" link, we use AJAX to update the link to read "remove from watchlist". But, we are not properly escaping the page title in that AJAX, which makes it possible to execute Javascript that has been placed in the page title. To replicate: 1. Create a portfolio Page 2. Give the page this title: "> 3. Put an image block in the page. 4. View the page in display mode. 5. Click on the link to view the artefact detail screen for the image 6. At the bottom of the artefact detail screen, click on the link that reads "Add page "">" to watchlist" or "Remove page "">" to watchlist" Expected result: The page should be added or removed from your watchlist, and the link title should show the HTML-escaped version of the page title. Actual result: The page is added or removed from your watchlist, but the link title is not HTML-escaped and Javascript "alert(location)" executes. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1472439/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1472439] Re: XSS in "add to watchlist" link on artefact detail screen
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1472439 Title: XSS in "add to watchlist" link on artefact detail screen Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Committed Status in Mahara 1.8 series: Won't Fix Status in Mahara 1.9 series: Fix Committed Status in Mahara 15.04 series: Fix Committed Status in Mahara 15.10 series: Fix Committed Bug description: On artefact detail screens, when we you click on the "add to watchlist" link, we use AJAX to update the link to read "remove from watchlist". But, we are not properly escaping the page title in that AJAX, which makes it possible to execute Javascript that has been placed in the page title. To replicate: 1. Create a portfolio Page 2. Give the page this title: "> 3. Put an image block in the page. 4. View the page in display mode. 5. Click on the link to view the artefact detail screen for the image 6. At the bottom of the artefact detail screen, click on the link that reads "Add page "">" to watchlist" or "Remove page "">" to watchlist" Expected result: The page should be added or removed from your watchlist, and the link title should show the HTML-escaped version of the page title. Actual result: The page is added or removed from your watchlist, but the link title is not HTML-escaped and Javascript "alert(location)" executes. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1472439/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp