Restrict user to send JS code in messages

Restrict user to send JS code in messages

بواسطة - lalit Mittal
عدد الردود: 2
Hi, 

I am facing one issue. When one user is sending messages to another user, he can send JS code which raises the security issue of 'Cross-Site Scripting'(a security vulnerability). the user can steal confidential information like cookies etc. 

i have checked the Moodle Tracker portal, and there are three tickets(MDL-61420, MDL-61359, MDL-62736), where this issue is fixed for Moodle versions 3.5 and 3.6. But I am using Moodle version 4.1 and this issue still exists. Does anyone have any idea how to tackle this issue?

I am sending the below js code in message:

<script src=data:&comma;alert(document.domain)//;

This code should not execute in the browser and should sent as a string.

Thanks in advance.
This is the screeshot
Screenshots are attached.
متوسط التقييمات: -
رداً على lalit Mittal

Re: Restrict user to send JS code in messages

بواسطة - Michael Hawkins
صورة Core developers صورة Moodle HQ صورة Particularly helpful Moodlers صورة Peer reviewers صورة Testers
Hi  lalit,

As per the Responsible Disclosure Policy in our Security Procedures documentation, please refrain from publishing potential vulnerabilities or security findings in a public forum (generally posts of this nature will be deleted, as they potentially expose sensitive information). The best way to report suspected issues of this nature is through our Security Submission Form.

In this case, I tested Moodle 4.1 and this appears to be self-XSS, where you as the sender may see the popup, but the recipient does not, so sending someone such a message will not result in JavaScript being executed when someone opens the message you sent them. On their own, these are generally considered informational findings rather than an actionable security issue. However we may look into this further as a general bug, since the locally generated popup and subsequent error message in the chat are undesirable behaviours.
متوسط التقييمات:Useful (1)