gemguardian
commented
9 months ago @luukverhoeven could you please check Dans comment and make the necessary change?
Closed danmarsden closed 8 months ago
gemguardian
commented
9 months ago @luukverhoeven could you please check Dans comment and make the necessary change?
luukverhoeven
commented
9 months ago @gemguardian, we've made some modifications to the code. Could you please validate these changes? https://github.com/Lesterhuis-Training-en-Consultancy/moodle-block-user_favorites/tree/86bwcn75d_riskbitflags
gemguardian
commented
9 months ago @luukverhoeven just to be sure, does the addinstance needs to Xss warning? You can add the block to a page, but you only add Moodle pages to the favorites. And yes in such a page there could be XSS but it not necessary caused by the block itself.
I did not see any other issues, tested on M4.1 PHP8
gemguardian
commented
8 months ago @luukverhoeven as discussed the flag stays, there is a risk that the title could contain XXS-content. We could prevent this by using PARAM_TEXT instead off PARAM_RAW.
I will make a seperated issue for this, and will see if we will change this in the furture by ourself or someone sends in a pull request. I will close this issue as we made the correct changes in the new 4.1/4.2 release
the capabilities user_favorites:addinstance, user_favorites:add, user_favorites:delete, user_favorites:view all seem to have the wrong riskbitmasks set.
after installing this plugin - the Moodle Security checks report shows big warnings about all the authenticated users being able to perform XSS - and I'm pretty sure this plugin doesn't have any emailing capability so the RISK_SPAM flag shouldn't be there either.