Security: Notefield not formatted before displayed, allowing for XSS
mudrd8mz opened this issue · comments
David Mudrák commented
When displaying the notefield
only file_rewrite_pluginfile_urls()
is called. But there needs to be format_text()
called first to
- apply the selected format such as Markdown
- apply all enabled filters
- clean the text from embedded JS
As it is now, users can submit JS into their public notes, which is then executed in other users' sessions. That is serious security bug. Please refer to https://docs.moodle.org/dev/Security:Cross-site_scripting