Closed mudrd8mz closed 3 years ago
When displaying the notefield only file_rewrite_pluginfile_urls() is called. But there needs to be format_text() called first to
notefield
file_rewrite_pluginfile_urls()
format_text()
As it is now, users can submit JS into their public notes, which is then executed in other users' sessions. That is serious security bug. Please refer to https://docs.moodle.org/dev/Security:Cross-site_scripting
When displaying the
notefield
onlyfile_rewrite_pluginfile_urls()
is called. But there needs to beformat_text()
called first toAs it is now, users can submit JS into their public notes, which is then executed in other users' sessions. That is serious security bug. Please refer to https://docs.moodle.org/dev/Security:Cross-site_scripting