[Sakai Jira] Assigned: (SAKIII-3926) Uploading a piece of content and embedding script inside of the description executes in search and library

Chris Roby (JIRA) sakai-ui-dev-tracking at collab.sakaiproject.org
Fri Aug 26 15:25:42 PDT 2011 

     [ https://jira.sakaiproject.org/browse/SAKIII-3926?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Roby reassigned SAKIII-3926:
----------------------------------

    Assignee: Chris Roby  (was: Bert Pareyn)

> Uploading a piece of content and embedding script inside of the description executes in search and library
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: SAKIII-3926
>                 URL: https://jira.sakaiproject.org/browse/SAKIII-3926
>             Project: Sakai 3 UI Dev
>          Issue Type: Bug
>          Components: Content & Media, Security
>    Affects Versions: Sprint 111
>            Reporter: Bert Pareyn
>            Assignee: Chris Roby
>            Priority: Blocker
>             Fix For: Sprint 111
>
>         Attachments: 1. usernamescript404.png, 1.1 usernamescriptsigningdropdown.png, 1.2 usernamescriptconsoledashboard.png, 1.3 usernamescriptsaving.png, 1.4 usernamescriptsearchusers.png, 10. authoroverlay.png, 2 Mymembershipsconsole.png, 3. Groupsearchrender.png, 3. Groupsearchtoaddpeople.png, 4. Categorietagsrender.png, 5.1 profileafterupdate.png, 5.1 profilebeforeupdate.png, 5.2 publicationsscripted.png, 6. addcontenttoscriptedgroup.png, 7.1 contentpermissionsrendering.png, 7.1 groupsusingcontent.png, 7.1 peopleusingcontent.png, 7.2 contentprofileversionsrendering.png, 8.1 participantsrendering.png, 8.1 uploadcontentandaddtolibrarydropdownrendering.png, 9. sakaidocaddcontentwidgetXSSattack.png, Screen shot 2011-08-23 at 18.39.15.png
>
>
> Added this very simple script in the description of a piece of content and uploaded it.
> When I add the same script to the tag field, then add to the list and click 'Edit details' it gives me a weird render (see screenshot).
> <script>location.replace("http://www.google.co.uk")</script>
> I get redirected everywhere this description shows up except for the actual content profile page (this means carousel, my library, search, explore page,...).
> We should probably run the HTML sanitizer on this like we do in the content profile page. 

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the sakai-ui-dev-tracking mailing list