Restrict user to send JS code in messages

Restrict user to send JS code in messages

Höfundur lalit Mittal -
Number of replies: 2
Hi, 

I am facing one issue. When one user is sending messages to another user, he can send JS code which raises the security issue of 'Cross-Site Scripting'(a security vulnerability). the user can steal confidential information like cookies etc. 

i have checked the Moodle Tracker portal, and there are three tickets(MDL-61420, MDL-61359, MDL-62736), where this issue is fixed for Moodle versions 3.5 and 3.6. But I am using Moodle version 4.1 and this issue still exists. Does anyone have any idea how to tackle this issue?

I am sending the below js code in message:

<script src=data:&comma;alert(document.domain)//;

This code should not execute in the browser and should sent as a string.

Thanks in advance.
This is the screeshot
Screenshots are attached.
Meðaltal dóma: -
In reply to lalit Mittal

Re: Restrict user to send JS code in messages

Höfundur Michael Hawkins -
Mynd af Core developers Mynd af Moodle HQ Mynd af Particularly helpful Moodlers Mynd af Peer reviewers Mynd af Testers
Hi  lalit,

As per the Responsible Disclosure Policy in our Security Procedures documentation, please refrain from publishing potential vulnerabilities or security findings in a public forum (generally posts of this nature will be deleted, as they potentially expose sensitive information). The best way to report suspected issues of this nature is through our Security Submission Form.

In this case, I tested Moodle 4.1 and this appears to be self-XSS, where you as the sender may see the popup, but the recipient does not, so sending someone such a message will not result in JavaScript being executed when someone opens the message you sent them. On their own, these are generally considered informational findings rather than an actionable security issue. However we may look into this further as a general bug, since the locally generated popup and subsequent error message in the chat are undesirable behaviours.
Meðaltal dóma:Useful (1)
In reply to Michael Hawkins

Re: Restrict user to send JS code in messages

Höfundur lalit Mittal -
Thanks, Michael for the clarification.

Is there any way to solve this issue? can we encode the messages or anything else we can try?
Meðaltal dóma: -