Moderate severityNVD Advisory· Published Jul 29, 2014· Updated May 6, 2026

CVE-2014-3548

Description

Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger an AJAX exception dialog.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	< 2.4.11	2.4.11
moodle/moodlePackagist	>= 2.5.0, < 2.5.7	2.5.7
moodle/moodlePackagist	>= 2.6.0, < 2.6.4	2.6.4
moodle/moodlePackagist	>= 2.7.0, < 2.7.1	2.7.1

Affected products

Moodle/Moodle35 versions
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 34 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.3.11
- cpe:2.3:a:moodle:moodle:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*

Patches

a1ae35173b54

MDL-45471 javascript: Escape content of exception dialogs

https://github.com/moodle/moodleFrederic MassartMay 8, 2014via ghsa

commit

1 file changed · +11 −10

lib/yui/notification/notification.js+11 −10 modified

@@ -254,11 +254,11 @@ Y.extend(EXCEPTION, DIALOGUE, {
     _keypress : null,
     initializer : function(config) {
         this.get(BASE).addClass('moodle-dialogue-exception');
-        this.setStdModContent(Y.WidgetStdMod.HEADER, '<h1 id="moodle-dialogue-'+COUNT+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+        this.setStdModContent(Y.WidgetStdMod.HEADER, '<h1 id="moodle-dialogue-'+COUNT+'-header-text">' + Y.Escape.html(config.name) + '</h1>', Y.WidgetStdMod.REPLACE);
         var content = C('<div class="moodle-exception"></div>')
-                    .append(C('<div class="moodle-exception-message">'+this.get('message')+'</div>'))
-                    .append(C('<div class="moodle-exception-param hidden param-filename"><label>File:</label> '+this.get('fileName')+'</div>'))
-                    .append(C('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> '+this.get('lineNumber')+'</div>'))
+                    .append(C('<div class="moodle-exception-message">'+Y.Escape.html(this.get('message'))+'</div>'))
+                    .append(C('<div class="moodle-exception-param hidden param-filename"><label>File:</label> '+Y.Escape.html(this.get('fileName'))+'</div>'))
+                    .append(C('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> '+Y.Escape.html(this.get('lineNumber'))+'</div>'))
                     .append(C('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+this.get('stack')+'</pre></div>'));
         if (M.cfg.developerdebug) {
             content.all('.moodle-exception-param').removeClass('hidden');
@@ -300,7 +300,7 @@ Y.extend(EXCEPTION, DIALOGUE, {
         },
         stack : {
             setter : function(str) {
-                var lines = str.split("\n");
+                var lines = Y.Escape.html(str).split("\n");
                 var pattern = new RegExp('^(.+)@('+M.cfg.wwwroot+')?(.{0,75}).*:(\\d+)$');
                 for (var i in lines) {
                     lines[i] = lines[i].replace(pattern, "<div class='stacktrace-line'>ln: $4</div><div class='stacktrace-file'>$3</div><div class='stacktrace-call'>$1</div>");
@@ -325,12 +325,12 @@ Y.extend(AJAXEXCEPTION, DIALOGUE, {
     _keypress : null,
     initializer : function(config) {
         this.get(BASE).addClass('moodle-dialogue-exception');
-        this.setStdModContent(Y.WidgetStdMod.HEADER, '<h1 id="moodle-dialogue-'+COUNT+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+        this.setStdModContent(Y.WidgetStdMod.HEADER, '<h1 id="moodle-dialogue-'+COUNT+'-header-text">' + Y.Escape.html(config.name) + '</h1>', Y.WidgetStdMod.REPLACE);
         var content = C('<div class="moodle-ajaxexception"></div>')
-                    .append(C('<div class="moodle-exception-message">'+this.get('error')+'</div>'))
+                    .append(C('<div class="moodle-exception-message">'+Y.Escape.html(this.get('error'))+'</div>'))
                     .append(C('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> '+this.get('reproductionlink')+'</div>'))
-                    .append(C('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> '+this.get('debuginfo')+'</div>'))
-                    .append(C('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+this.get('stacktrace')+'</pre></div>'));
+                    .append(C('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> '+Y.Escape.html(this.get('debuginfo'))+'</div>'))
+                    .append(C('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+Y.Escape.html(this.get('stacktrace'))+'</pre></div>'));
         if (M.cfg.developerdebug) {
             content.all('.moodle-exception-param').removeClass('hidden');
         }
@@ -369,6 +369,7 @@ Y.extend(AJAXEXCEPTION, DIALOGUE, {
         reproductionlink : {
             setter : function(link) {
                 if (link !== null) {
+                    link = Y.Escape.html(link)
                     link = '<a href="'+link+'">'+link.replace(M.cfg.wwwroot, '')+'</a>';
                 }
                 return link;
@@ -389,4 +390,4 @@ M.core.confirm = CONFIRM;
 M.core.exception = EXCEPTION;
 M.core.ajaxException = AJAXEXCEPTION;
 
-}, '@VERSION@', {requires:['base','node','panel','event-key', 'moodle-core-notification-skin', 'dd-plugin']});
+}, '@VERSION@', {requires:['base','node','panel','escape','event-key', 'moodle-core-notification-skin', 'dd-plugin']});

6eb787b873f5

MDL-45471 javascript: Escape content of exception dialogs

https://github.com/moodle/moodleFrederic MassartMay 8, 2014via ghsa

commit

5 files changed · +34 −30

lib/yui/build/moodle-core-notification/moodle-core-notification-debug.js+11 −10 modified

@@ -302,13 +302,13 @@ Y.extend(EXCEPTION, DIALOGUE, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER, '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">'
-                + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                + Y.Escape.html(config.name) + '</h1>', Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-exception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('message')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('message'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> '
-                        + this.get('fileName')+'</div>'))
+                        + Y.Escape.html(this.get('fileName'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> '
-                        + this.get('lineNumber')+'</div>'))
+                        + Y.Escape.html(this.get('lineNumber'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'
                         + this.get('stack')+'</pre></div>'));
         if (M.cfg.developerdebug) {
@@ -351,7 +351,7 @@ Y.extend(EXCEPTION, DIALOGUE, {
         },
         stack : {
             setter : function(str) {
-                var lines = str.split("\n"),
+                var lines = Y.Escape.html(str).split("\n"),
                     pattern = new RegExp('^(.+)@('+M.cfg.wwwroot+')?(.{0,75}).*:(\\d+)$'),
                     i;
                 for (i in lines) {
@@ -382,15 +382,15 @@ Y.extend(AJAXEXCEPTION, DIALOGUE, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER, '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">'
-                + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                + Y.Escape.html(config.name) + '</h1>', Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-ajaxexception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('error')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('error'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> '
                         + this.get('reproductionlink')+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> '
-                        + this.get('debuginfo')+'</div>'))
+                        + Y.Escape.html(this.get('debuginfo'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'
-                        + this.get('stacktrace')+'</pre></div>'));
+                        + Y.Escape.html(this.get('stacktrace'))+'</pre></div>'));
         if (M.cfg.developerdebug) {
             content.all('.moodle-exception-param').removeClass('hidden');
         }
@@ -427,6 +427,7 @@ Y.extend(AJAXEXCEPTION, DIALOGUE, {
         reproductionlink : {
             setter : function(link) {
                 if (link !== null) {
+                    link = Y.Escape.html(link);
                     link = '<a href="'+link+'">'+link.replace(M.cfg.wwwroot, '')+'</a>';
                 }
                 return link;
@@ -448,4 +449,4 @@ M.core.exception = EXCEPTION;
 M.core.ajaxException = AJAXEXCEPTION;
 
 
-}, '@VERSION@', {"requires": ["base", "node", "panel", "event-key", "dd-plugin"]});
+}, '@VERSION@', {"requires": ["base", "node", "panel", "event-key", "escape", "dd-plugin"]});

lib/yui/build/moodle-core-notification/moodle-core-notification.js+11 −10 modified

@@ -302,13 +302,13 @@ Y.extend(EXCEPTION, DIALOGUE, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER, '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">'
-                + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                + Y.Escape.html(config.name) + '</h1>', Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-exception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('message')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('message'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> '
-                        + this.get('fileName')+'</div>'))
+                        + Y.Escape.html(this.get('fileName'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> '
-                        + this.get('lineNumber')+'</div>'))
+                        + Y.Escape.html(this.get('lineNumber'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'
                         + this.get('stack')+'</pre></div>'));
         if (M.cfg.developerdebug) {
@@ -351,7 +351,7 @@ Y.extend(EXCEPTION, DIALOGUE, {
         },
         stack : {
             setter : function(str) {
-                var lines = str.split("\n"),
+                var lines = Y.Escape.html(str).split("\n"),
                     pattern = new RegExp('^(.+)@('+M.cfg.wwwroot+')?(.{0,75}).*:(\\d+)$'),
                     i;
                 for (i in lines) {
@@ -382,15 +382,15 @@ Y.extend(AJAXEXCEPTION, DIALOGUE, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER, '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">'
-                + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                + Y.Escape.html(config.name) + '</h1>', Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-ajaxexception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('error')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('error'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> '
                         + this.get('reproductionlink')+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> '
-                        + this.get('debuginfo')+'</div>'))
+                        + Y.Escape.html(this.get('debuginfo'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'
-                        + this.get('stacktrace')+'</pre></div>'));
+                        + Y.Escape.html(this.get('stacktrace'))+'</pre></div>'));
         if (M.cfg.developerdebug) {
             content.all('.moodle-exception-param').removeClass('hidden');
         }
@@ -427,6 +427,7 @@ Y.extend(AJAXEXCEPTION, DIALOGUE, {
         reproductionlink : {
             setter : function(link) {
                 if (link !== null) {
+                    link = Y.Escape.html(link);
                     link = '<a href="'+link+'">'+link.replace(M.cfg.wwwroot, '')+'</a>';
                 }
                 return link;
@@ -448,4 +449,4 @@ M.core.exception = EXCEPTION;
 M.core.ajaxException = AJAXEXCEPTION;
 
 
-}, '@VERSION@', {"requires": ["base", "node", "panel", "event-key", "dd-plugin"]});
+}, '@VERSION@', {"requires": ["base", "node", "panel", "event-key", "escape", "dd-plugin"]});

lib/yui/build/moodle-core-notification/moodle-core-notification-min.js+1 −1 modified

@@ -1,2 +1,2 @@
 YUI.add("moodle-core-notification",function(e,t){var n="Moodle dialogue",r="moodle-dialogue",i="Moodle confirmation dialogue",s="Moodle exception",o="Moodle AJAX exception",u="Moodle alert",a="notificationBase",f="yesLabel",l="noLabel",c="title",h="question",p={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},d,v,m,g,y;y=function(t){t.count=e.stamp(this);var n="moodle-dialogue-"+t.count;t.notificationBase=e.Node.create('<div class="'+p.BASE+'">').append(e.Node.create('<div id="'+n+'" role="dialog" aria-labelledby="'+n+'-header-text" class="'+p.WRAP+'"></div>').append(e.Node.create('<div id="'+n+'-header-text" class="'+p.HEADER+' yui3-widget-hd"></div>')).append(e.Node.create('<div class="'+p.BODY+' yui3-widget-bd"></div>')).append(e.Node.create('<div class="'+p.FOOTER+' yui3-widget-ft"></div>'))),e.one(document.body).append(t.notificationBase),t.srcNode="#"+n,t.width=t.width||"400px",t.visible=t.visible||!1,t.center=t.centered||!0,t.centered=!1,t.lightbox!==!1&&(t.modal=!0),delete t.lightbox,t.closeButton===!1?t.buttons=null:t.buttons=[{section:e.WidgetStdMod.HEADER,classNames:"closebutton",action:function(){this.hide()}}],y.superclass.constructor.apply(this,[t]),t.closeButton!==!1&&this.get("buttons").header[0].setAttribute("title",this.get("closeButtonTitle"))},e.extend(y,e.Panel,{initializer:function(){this.after("visibleChange",this.visibilityChanged,this),this.render(),this.show(),this.get("boundingBox").setStyle("zIndex",null)},visibilityChanged:function(t){var n;t.attrName==="visible"&&(this.get("maskNode").addClass(p.LIGHTBOX),this.get("center")&&!t.prevVal&&t.newVal&&this.centerDialogue(),this.get("draggable")&&(n="#"+this.get("id")+" ."+p.HEADER,this.plug(e.Plugin.Drag,{handles:[n]}),e.one(n).setStyle("cursor","move")))},hide:function(e){if(e&&e.type==="key"&&e.keyCode===27&&!this.get("focused"))return;return y.superclass.hide.call(this,arguments)},centerDialogue:function(){var t=this.get("boundingBox"),n=t.hasClass(r+"-hidden"),i,s;n&&t.setStyle("top","-1000px").removeClass(r+"-hidden"),i=Math.max(Math.round((t.get("winWidth")-t.get("offsetWidth"))/2),15),s=Math.max(Math.round((t.get("winHeight")-t.get("offsetHeight"))/2),15)+e.one(window).get("scrollTop"),n&&t.addClass(r+"-hidden"),t.setStyle("left",i).setStyle("top",s)}},{NAME:n,CSS_PREFIX:r,ATTRS:{notificationBase:{},lightbox:{validator:e.Lang.isBoolean,value:!0},closeButton:{validator:e.Lang.isBoolean,value:!0},closeButtonTitle:{validator:e.Lang.isString,value:"Close"},center:{validator:e.Lang.isBoolean,value:!0},draggable:{validator:e.Lang.isBoolean,value:!1},COUNT:{value:null}}}),v=function(e){e.closeButton=!1,v.superclass.constructor.apply(this,[e])},e.extend(v,y,{_closeEvents:null,initializer:function(){this._closeEvents=[],this.publish("complete");var t=e.Node.create('<input type="button" id="id_yuialertconfirm-'+this.get("COUNT")+'" value="'+this.get(f)+'" />'),n=e.Node.create('<div class="confirmation-dialogue"></div>').append(e.Node.create('<div class="confirmation-message">'+this.get("message")+"</div>")).append(e.Node.create('<div class="confirmation-buttons"></div>').append(t));this.get(a).addClass("moodle-dialogue-confirm"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+this.get("COUNT")+'-header-text">'+this.get(c)+"</h1>",e.WidgetStdMod.REPLACE),this.after("destroyedChange",function(){this.get(a).remove()},this),this._closeEvents.push(e.on("key",this.submit,window,"down:13",this),t.on("click",this.submit,this));var r=this.get("boundingBox").one(".closebutton");r&&this._closeEvents.push(r.on("click",this.submit,this))},submit:function(){(new e.EventHandle(this._closeEvents)).detach(),this.fire("complete"),this.hide(),this.destroy()}},{NAME:u,CSS_PREFIX:r,ATTRS:{title:{validator:e.Lang.isString,value:"Alert"},message:{validator:e.Lang.isString,value:"Confirm"},yesLabel:{validator:e.Lang.isString,setter:function(e){return e||(e="Ok"),e},value:"Ok"}}}),m=function(e){m.superclass.constructor.apply(this,[e])},e.extend(m,y,{_closeEvents:null,initializer:function(){this._closeEvents=[],this.publish("complete"),this.publish("complete-yes"),this.publish("complete-no");var t=e.Node.create('<input type="button" id="id_yuiconfirmyes-'+this.get("COUNT")+'" value="'+this.get(f)+'" />'),n=e.Node.create('<input type="button" id="id_yuiconfirmno-'+this.get("COUNT")+'" value="'+this.get(l)+'" />'),r=e.Node.create('<div class="confirmation-dialogue"></div>').append(e.Node.create('<div class="confirmation-message">'+this.get(h)+"</div>")).append(e.Node.create('<div class="confirmation-buttons"></div>').append(t).append(n));this.get(a).addClass("moodle-dialogue-confirm"),this.setStdModContent(e.WidgetStdMod.BODY,r,e.WidgetStdMod.REPLACE),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+this.get("COUNT")+'-header-text">'+this.get(c)+"</h1>",e.WidgetStdMod.REPLACE),this.after("destroyedChange",function(){this.get(a).remove()},this),this._closeEvents.push(e.on("key",this.submit,window,"down:27",this,!1),t.on("click",this.submit,this,!0),n.on("click",this.submit,this,!1));var i=this.get("boundingBox").one(".closebutton");i&&this._closeEvents.push(i.on("click",this.submit,this))},submit:function(t,n){(new e.EventHandle(this._closeEvents)).detach(),this.fire("complete",n),n?this.fire("complete-yes"):this.fire("complete-no"),this.hide(),this.destroy()}},{NAME:i,CSS_PREFIX:r,ATTRS:{yesLabel:{validator:e.Lang.isString,value:"Yes"},noLabel:{validator:e.Lang.isString,value:"No"},title:{validator:e.Lang.isString,value:"Confirm"},question:{validator:e.Lang.isString,value:"Are you sure?"}}}),e.augment(m,e.EventTarget),d=function(t){t.width=t.width||M.cfg.developerdebug?Math.floor(e.one(document.body).get("winWidth")/3)+"px":null,t.closeButton=!0,d.superclass.constructor
-.apply(this,[t])},e.extend(d,y,{_hideTimeout:null,_keypress:null,initializer:function(t){var n,r=this,i=this.get("hideTimeoutDelay");this.get(a).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+this.get("COUNT")+'-header-text">'+t.name+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-exception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+this.get("message")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> '+this.get("fileName")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> '+this.get("lineNumber")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+this.get("stack")+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),i&&(this._hideTimeout=setTimeout(function(){r.hide()},i)),this.after("visibleChange",this.visibilityChanged,this),this.after("destroyedChange",function(){this.get(a).remove()},this),this._keypress=e.on("key",this.hide,window,"down:13,27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){this._keypress&&this._keypress.detach();var t=this;setTimeout(function(){t.destroy()},1e3)}}},{NAME:s,CSS_PREFIX:r,ATTRS:{message:{value:""},name:{value:""},fileName:{value:""},lineNumber:{value:""},stack:{setter:function(e){var t=e.split("\n"),n=new RegExp("^(.+)@("+M.cfg.wwwroot+")?(.{0,75}).*:(\\d+)$"),r;for(r in t)t[r]=t[r].replace(n,"<div class='stacktrace-line'>ln: $4</div><div class='stacktrace-file'>$3</div><div class='stacktrace-call'>$1</div>");return t.join("")},value:""},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),g=function(e){e.name=e.name||"Error",e.closeButton=!0,g.superclass.constructor.apply(this,[e])},e.extend(g,y,{_keypress:null,initializer:function(t){var n,r=this,i=this.get("hideTimeoutDelay");this.get(a).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+this.get("COUNT")+'-header-text">'+t.name+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-ajaxexception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+this.get("error")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> '+this.get("reproductionlink")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> '+this.get("debuginfo")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+this.get("stacktrace")+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),i&&(this._hideTimeout=setTimeout(function(){r.hide()},i)),this.after("visibleChange",this.visibilityChanged,this),this._keypress=e.on("key",this.hide,window,"down:13, 27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){var t=this;this._keypress.detach(),setTimeout(function(){t.destroy()},1e3)}}},{NAME:o,CSS_PREFIX:r,ATTRS:{error:{validator:e.Lang.isString,value:"Unknown error"},debuginfo:{value:null},stacktrace:{value:null},reproductionlink:{setter:function(e){return e!==null&&(e='<a href="'+e+'">'+e.replace(M.cfg.wwwroot,"")+"</a>"),e},value:null},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),M.core=M.core||{},M.core.dialogue=y,M.core.alert=v,M.core.confirm=m,M.core.exception=d,M.core.ajaxException=g},"@VERSION@",{requires:["base","node","panel","event-key","dd-plugin"]});
+.apply(this,[t])},e.extend(d,y,{_hideTimeout:null,_keypress:null,initializer:function(t){var n,r=this,i=this.get("hideTimeoutDelay");this.get(a).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+this.get("COUNT")+'-header-text">'+e.Escape.html(t.name)+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-exception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+e.Escape.html(this.get("message"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> '+e.Escape.html(this.get("fileName"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> '+e.Escape.html(this.get("lineNumber"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+this.get("stack")+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),i&&(this._hideTimeout=setTimeout(function(){r.hide()},i)),this.after("visibleChange",this.visibilityChanged,this),this.after("destroyedChange",function(){this.get(a).remove()},this),this._keypress=e.on("key",this.hide,window,"down:13,27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){this._keypress&&this._keypress.detach();var t=this;setTimeout(function(){t.destroy()},1e3)}}},{NAME:s,CSS_PREFIX:r,ATTRS:{message:{value:""},name:{value:""},fileName:{value:""},lineNumber:{value:""},stack:{setter:function(t){var n=e.Escape.html(t).split("\n"),r=new RegExp("^(.+)@("+M.cfg.wwwroot+")?(.{0,75}).*:(\\d+)$"),i;for(i in n)n[i]=n[i].replace(r,"<div class='stacktrace-line'>ln: $4</div><div class='stacktrace-file'>$3</div><div class='stacktrace-call'>$1</div>");return n.join("")},value:""},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),g=function(e){e.name=e.name||"Error",e.closeButton=!0,g.superclass.constructor.apply(this,[e])},e.extend(g,y,{_keypress:null,initializer:function(t){var n,r=this,i=this.get("hideTimeoutDelay");this.get(a).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+this.get("COUNT")+'-header-text">'+e.Escape.html(t.name)+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-ajaxexception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+e.Escape.html(this.get("error"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> '+this.get("reproductionlink")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> '+e.Escape.html(this.get("debuginfo"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+e.Escape.html(this.get("stacktrace"))+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),i&&(this._hideTimeout=setTimeout(function(){r.hide()},i)),this.after("visibleChange",this.visibilityChanged,this),this._keypress=e.on("key",this.hide,window,"down:13, 27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){var t=this;this._keypress.detach(),setTimeout(function(){t.destroy()},1e3)}}},{NAME:o,CSS_PREFIX:r,ATTRS:{error:{validator:e.Lang.isString,value:"Unknown error"},debuginfo:{value:null},stacktrace:{value:null},reproductionlink:{setter:function(t){return t!==null&&(t=e.Escape.html(t),t='<a href="'+t+'">'+t.replace(M.cfg.wwwroot,"")+"</a>"),t},value:null},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),M.core=M.core||{},M.core.dialogue=y,M.core.alert=v,M.core.confirm=m,M.core.exception=d,M.core.ajaxException=g},"@VERSION@",{requires:["base","node","panel","event-key","escape","dd-plugin"]});

lib/yui/src/notification/js/notification.js+10 −9 modified

@@ -300,13 +300,13 @@ Y.extend(EXCEPTION, DIALOGUE, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER, '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">'
-                + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                + Y.Escape.html(config.name) + '</h1>', Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-exception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('message')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('message'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> '
-                        + this.get('fileName')+'</div>'))
+                        + Y.Escape.html(this.get('fileName'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> '
-                        + this.get('lineNumber')+'</div>'))
+                        + Y.Escape.html(this.get('lineNumber'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'
                         + this.get('stack')+'</pre></div>'));
         if (M.cfg.developerdebug) {
@@ -349,7 +349,7 @@ Y.extend(EXCEPTION, DIALOGUE, {
         },
         stack : {
             setter : function(str) {
-                var lines = str.split("\n"),
+                var lines = Y.Escape.html(str).split("\n"),
                     pattern = new RegExp('^(.+)@('+M.cfg.wwwroot+')?(.{0,75}).*:(\\d+)$'),
                     i;
                 for (i in lines) {
@@ -380,15 +380,15 @@ Y.extend(AJAXEXCEPTION, DIALOGUE, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER, '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">'
-                + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                + Y.Escape.html(config.name) + '</h1>', Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-ajaxexception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('error')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('error'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> '
                         + this.get('reproductionlink')+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> '
-                        + this.get('debuginfo')+'</div>'))
+                        + Y.Escape.html(this.get('debuginfo'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'
-                        + this.get('stacktrace')+'</pre></div>'));
+                        + Y.Escape.html(this.get('stacktrace'))+'</pre></div>'));
         if (M.cfg.developerdebug) {
             content.all('.moodle-exception-param').removeClass('hidden');
         }
@@ -425,6 +425,7 @@ Y.extend(AJAXEXCEPTION, DIALOGUE, {
         reproductionlink : {
             setter : function(link) {
                 if (link !== null) {
+                    link = Y.Escape.html(link);
                     link = '<a href="'+link+'">'+link.replace(M.cfg.wwwroot, '')+'</a>';
                 }
                 return link;

lib/yui/src/notification/meta/notification.json+1 −0 modified

@@ -5,6 +5,7 @@
         "node",
         "panel",
         "event-key",
+        "escape",
         "dd-plugin"
     ]
   }

166e18d7cbb3

MDL-45471 javascript: Escape content of exception dialogs

https://github.com/moodle/moodleFrederic MassartMay 8, 2014via ghsa

commit

12 files changed · +42 −32

lib/yui/build/moodle-core-notification-ajaxexception/moodle-core-notification-ajaxexception-debug.js+6 −4 modified

@@ -59,15 +59,16 @@ Y.extend(AJAXEXCEPTION, M.core.dialogue, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-ajaxexception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('error')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('error'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> ' +
                         this.get('reproductionlink')+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> ' +
-                        this.get('debuginfo')+'</div>'))
+                        Y.Escape.html(this.get('debuginfo'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
-                        this.get('stacktrace')+'</pre></div>'));
+                        Y.Escape.html(this.get('stacktrace'))+'</pre></div>'));
         if (M.cfg.developerdebug) {
             content.all('.moodle-exception-param').removeClass('hidden');
         }
@@ -140,6 +141,7 @@ Y.extend(AJAXEXCEPTION, M.core.dialogue, {
         reproductionlink : {
             setter : function(link) {
                 if (link !== null) {
+                    link = Y.Escape.html(link);
                     link = '<a href="'+link+'">'+link.replace(M.cfg.wwwroot, '')+'</a>';
                 }
                 return link;

lib/yui/build/moodle-core-notification-ajaxexception/moodle-core-notification-ajaxexception.js+6 −4 modified

@@ -59,15 +59,16 @@ Y.extend(AJAXEXCEPTION, M.core.dialogue, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-ajaxexception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('error')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('error'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> ' +
                         this.get('reproductionlink')+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> ' +
-                        this.get('debuginfo')+'</div>'))
+                        Y.Escape.html(this.get('debuginfo'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
-                        this.get('stacktrace')+'</pre></div>'));
+                        Y.Escape.html(this.get('stacktrace'))+'</pre></div>'));
         if (M.cfg.developerdebug) {
             content.all('.moodle-exception-param').removeClass('hidden');
         }
@@ -140,6 +141,7 @@ Y.extend(AJAXEXCEPTION, M.core.dialogue, {
         reproductionlink : {
             setter : function(link) {
                 if (link !== null) {
+                    link = Y.Escape.html(link);
                     link = '<a href="'+link+'">'+link.replace(M.cfg.wwwroot, '')+'</a>';
                 }
                 return link;

lib/yui/build/moodle-core-notification-ajaxexception/moodle-core-notification-ajaxexception-min.js+1 −1 modified

@@ -1 +1 @@
-YUI.add("moodle-core-notification-ajaxexception",function(e,t){var n,r,i,s,o,u,a;n="moodle-dialogue",r="notificationBase",i="yesLabel",s="noLabel",o="title",u="question",a={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},M.core=M.core||{};var f="Moodle AJAX exception",l;l=function(e){e.name=e.name||"Error",e.closeButton=!0,l.superclass.constructor.apply(this,[e])},e.extend(l,M.core.dialogue,{_keypress:null,initializer:function(t){var n,i=this,s=this.get("hideTimeoutDelay");this.get(r).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+this.get("COUNT")+'-header-text">'+t.name+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-ajaxexception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+this.get("error")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> '+this.get("reproductionlink")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> '+this.get("debuginfo")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+this.get("stacktrace")+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),s&&(this._hideTimeout=setTimeout(function(){i.hide()},s)),this.after("visibleChange",this.visibilityChanged,this),this._keypress=e.on("key",this.hide,window,"down:13, 27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){var t=this;this._keypress.detach(),setTimeout(function(){t.destroy()},1e3)}}},{NAME:f,CSS_PREFIX:n,ATTRS:{error:{validator:e.Lang.isString,value:M.util.get_string("unknownerror","moodle")},debuginfo:{value:null},stacktrace:{value:null},reproductionlink:{setter:function(e){return e!==null&&(e='<a href="'+e+'">'+e.replace(M.cfg.wwwroot,"")+"</a>"),e},value:null},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),M.core.ajaxException=l},"@VERSION@",{requires:["moodle-core-notification-dialogue"]});
+YUI.add("moodle-core-notification-ajaxexception",function(e,t){var n,r,i,s,o,u,a;n="moodle-dialogue",r="notificationBase",i="yesLabel",s="noLabel",o="title",u="question",a={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},M.core=M.core||{};var f="Moodle AJAX exception",l;l=function(e){e.name=e.name||"Error",e.closeButton=!0,l.superclass.constructor.apply(this,[e])},e.extend(l,M.core.dialogue,{_keypress:null,initializer:function(t){var n,i=this,s=this.get("hideTimeoutDelay");this.get(r).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+this.get("COUNT")+'-header-text">'+e.Escape.html(t.name)+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-ajaxexception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+e.Escape.html(this.get("error"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> '+this.get("reproductionlink")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> '+e.Escape.html(this.get("debuginfo"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+e.Escape.html(this.get("stacktrace"))+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),s&&(this._hideTimeout=setTimeout(function(){i.hide()},s)),this.after("visibleChange",this.visibilityChanged,this),this._keypress=e.on("key",this.hide,window,"down:13, 27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){var t=this;this._keypress.detach(),setTimeout(function(){t.destroy()},1e3)}}},{NAME:f,CSS_PREFIX:n,ATTRS:{error:{validator:e.Lang.isString,value:M.util.get_string("unknownerror","moodle")},debuginfo:{value:null},stacktrace:{value:null},reproductionlink:{setter:function(t){return t!==null&&(t=e.Escape.html(t),t='<a href="'+t+'">'+t.replace(M.cfg.wwwroot,"")+"</a>"),t},value:null},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),M.core.ajaxException=l},"@VERSION@",{requires:["moodle-core-notification-dialogue"]});

lib/yui/build/moodle-core-notification-dialogue/moodle-core-notification-dialogue-debug.js+1 −1 modified

@@ -529,4 +529,4 @@ Y.extend(DIALOGUE, Y.Panel, {
 M.core.dialogue = DIALOGUE;
 
 
-}, '@VERSION@', {"requires": ["base", "node", "panel", "event-key", "dd-plugin", "moodle-core-lockscroll"]});
+}, '@VERSION@', {"requires": ["base", "node", "panel", "escape", "event-key", "dd-plugin", "moodle-core-lockscroll"]});

lib/yui/build/moodle-core-notification-dialogue/moodle-core-notification-dialogue.js+1 −1 modified

@@ -529,4 +529,4 @@ Y.extend(DIALOGUE, Y.Panel, {
 M.core.dialogue = DIALOGUE;
 
 
-}, '@VERSION@', {"requires": ["base", "node", "panel", "event-key", "dd-plugin", "moodle-core-lockscroll"]});
+}, '@VERSION@', {"requires": ["base", "node", "panel", "escape", "event-key", "dd-plugin", "moodle-core-lockscroll"]});

lib/yui/build/moodle-core-notification-dialogue/moodle-core-notification-dialogue-min.js+1 −1 modified

@@ -1 +1 @@
-YUI.add("moodle-core-notification-dialogue",function(e,t){var n,r,i,s,o,u,a;n="moodle-dialogue",r="notificationBase",i="yesLabel",s="noLabel",o="title",u="question",a={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},M.core=M.core||{};var f="Moodle dialogue",l,c=n+"-fullscreen",h=n+"-hidden",p=" [role=dialog]",d="[role=menubar]",v=".moodle-has-zindex",m='input:not([type="hidden"]), a[href], button, textarea, select, [tabindex]';l=function(t){var n=e.clone(t);n.COUNT=e.stamp(this);var r="moodle-dialogue-"+n.COUNT;n.notificationBase=e.Node.create('<div class="'+a.BASE+'">').append(e.Node.create('<div id="'+r+'" role="dialog" aria-labelledby="'+r+'-header-text" class="'+a.WRAP+'"></div>').append(e.Node.create('<div id="'+r+'-header-text" class="'+a.HEADER+' yui3-widget-hd"></div>')).append(e.Node.create('<div class="'+a.BODY+' yui3-widget-bd"></div>')).append(e.Node.create('<div class="'+a.FOOTER+' yui3-widget-ft"></div>'))),e.one(document.body).append(n.notificationBase),n.additionalBaseClass&&n.notificationBase.addClass(n.additionalBaseClass),n.srcNode="#"+r,n.render=typeof n.render!="undefined"?n.render:!0,n.width=n.width||"400px",typeof n.center=="undefined"?n.center=!0:n.center=n.centered&&!0,n.centered=!1,n.width==="auto"&&delete n.width,n.lightbox!==!1&&(n.modal=!0),delete n.lightbox,n.closeButton===!1?n.buttons=null:n.buttons=[{section:e.WidgetStdMod.HEADER,classNames:"closebutton",action:function(){this.hide()}}],l.superclass.constructor.apply(this,[n]),n.closeButton!==!1&&this.get("buttons").header[0].setAttribute("title",this.get("closeButtonTitle"))},e.extend(l,e.Panel,{_resizeevent:null,_orientationevent:null,_calculatedzindex:!1,initializer:function(){var t;this.get("render")&&!this.get("rendered")&&this.render(),this.makeResponsive(),this.after("visibleChange",this.visibilityChanged,this),this.get("center")&&this.centerDialogue(),this.get("modal")&&this.plug(e.M.core.LockScroll),t=this.get("boundingBox"),e.Array.each(this.get("extraClasses"),t.addClass,t),this.get("visible")&&this.applyZIndex(),this.on("maskShow",this.applyZIndex),this.get("visible")&&(this.show(),this.keyDelegation())},applyZIndex:function(){var t=1,n=1,r=this.get("boundingBox"),i=this.get("maskNode"),s=this.get("zIndex");s!==0&&!this._calculatedzindex?r.setStyle("zIndex",s):(e.all(p+", "+d+", "+v).each(function(e){var n=this.findZIndex(e);n>t&&(t=n)},this),n=(t+1).toString(),r.setStyle("zIndex",n),this.set("zIndex",n),this.get("modal")&&i.setStyle("zIndex",n),this._calculatedzindex=!0)},findZIndex:function(e){var t=e.getStyle("zIndex")||e.ancestor().getStyle("zIndex");return t?parseInt(t,10):0},visibilityChanged:function(t){var n,r;t.attrName==="visible"&&(this.get("maskNode").addClass(a.LIGHTBOX),t.prevVal&&!t.newVal&&(r=this.get("boundingBox"),this._resizeevent&&(this._resizeevent.detach(),this._resizeevent=null),this._orientationevent&&(this._orientationevent.detach(),this._orientationevent=null),r.detach("key",this.keyDelegation)),!t.prevVal&&t.newVal&&(this.applyZIndex(),this.makeResponsive(),this.shouldResizeFullscreen()||this.get("draggable")&&(n="#"+this.get("id")+" ."+a.HEADER,this.plug(e.Plugin.Drag,{handles:[n]}),e.one(n).setStyle("cursor","move")),this.keyDelegation()),this.get("center")&&!t.prevVal&&t.newVal&&this.centerDialogue())},makeResponsive:function(){var t=this.get("boundingBox"),n;this.shouldResizeFullscreen()?(t.addClass(c),t.setStyles({left:null,top:null,width:null,height:null,right:null,bottom:null}),n=e.one("#"+this.get("id")+" ."+a.BODY)):this.get("responsive")&&(t.removeClass(c).setStyles({width:this.get("width"),height:this.get("height")}),n=e.one("#"+this.get("id")+" ."+a.BODY))},centerDialogue:function(){var t=this.get("boundingBox"),n=t.hasClass(h),r,i;if(this.shouldResizeFullscreen())return;n&&t.setStyle("top","-1000px").removeClass(h),r=Math.max(Math.round((t.get("winWidth")-t.get("offsetWidth"))/2),15),i=Math.max(Math.round((t.get("winHeight")-t.get("offsetHeight"))/2),15)+e.one(window).get("scrollTop"),t.setStyles({left:r,top:i}),n&&t.addClass(h)},shouldResizeFullscreen:function(){return window===window.parent&&this.get("responsive")&&Math.floor(e.one(document.body).get("winWidth"))<this.get("responsiveWidth")},show:function(){var e=null,t=this.headerNode,n=this.bodyNode;return e=l.superclass.show.call(this),this.lockScroll&&this.lockScroll.enableScrollLock(this.shouldResizeFullscreen()),t&&t!==""?t.focus():n&&n!==""&&n.focus(),e},hide:function(e){if(e&&e.type==="key"&&e.keyCode===27&&!this.get("focused"))return;return this.lockScroll&&this.lockScroll.disableScrollLock(),l.superclass.hide.call(this,arguments)},keyDelegation:function(){var e=this.get("boundingBox");e.delegate("key",function(e){var t=e.target,n="forward";e.shiftKey&&(n="backward"),this.trapFocus(t,n)&&e.preventDefault()},"down:9",m,this)},trapFocus:function(e,t){var n=this.get("boundingBox"),r=n.one(m),i=n.all(m).pop();if(e===i&&t==="forward")return r.focus();if(e===r&&t==="backward")return i.focus()}},{NAME:f,CSS_PREFIX:n,ATTRS:{notificationBase:{},lightbox:{validator:e.Lang.isBoolean,value:!0},closeButton:{validator:e.Lang.isBoolean,value:!0},closeButtonTitle:{validator:e.Lang.isString,value:M.util.get_string("closebuttontitle","moodle")},center:{validator:e.Lang.isBoolean,value:!0},draggable:{validator:e.Lang.isBoolean,value:!1},COUNT:{value:null},responsive:{validator:e.Lang.isBoolean,value:!0},responsiveWidth:{value:768},extraClasses:{value:[]}}}),M.core.dialogue=l},"@VERSION@",{requires:["base","node","panel","event-key","dd-plugin","moodle-core-lockscroll"]});
+YUI.add("moodle-core-notification-dialogue",function(e,t){var n,r,i,s,o,u,a;n="moodle-dialogue",r="notificationBase",i="yesLabel",s="noLabel",o="title",u="question",a={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},M.core=M.core||{};var f="Moodle dialogue",l,c=n+"-fullscreen",h=n+"-hidden",p=" [role=dialog]",d="[role=menubar]",v=".moodle-has-zindex",m='input:not([type="hidden"]), a[href], button, textarea, select, [tabindex]';l=function(t){var n=e.clone(t);n.COUNT=e.stamp(this);var r="moodle-dialogue-"+n.COUNT;n.notificationBase=e.Node.create('<div class="'+a.BASE+'">').append(e.Node.create('<div id="'+r+'" role="dialog" aria-labelledby="'+r+'-header-text" class="'+a.WRAP+'"></div>').append(e.Node.create('<div id="'+r+'-header-text" class="'+a.HEADER+' yui3-widget-hd"></div>')).append(e.Node.create('<div class="'+a.BODY+' yui3-widget-bd"></div>')).append(e.Node.create('<div class="'+a.FOOTER+' yui3-widget-ft"></div>'))),e.one(document.body).append(n.notificationBase),n.additionalBaseClass&&n.notificationBase.addClass(n.additionalBaseClass),n.srcNode="#"+r,n.render=typeof n.render!="undefined"?n.render:!0,n.width=n.width||"400px",typeof n.center=="undefined"?n.center=!0:n.center=n.centered&&!0,n.centered=!1,n.width==="auto"&&delete n.width,n.lightbox!==!1&&(n.modal=!0),delete n.lightbox,n.closeButton===!1?n.buttons=null:n.buttons=[{section:e.WidgetStdMod.HEADER,classNames:"closebutton",action:function(){this.hide()}}],l.superclass.constructor.apply(this,[n]),n.closeButton!==!1&&this.get("buttons").header[0].setAttribute("title",this.get("closeButtonTitle"))},e.extend(l,e.Panel,{_resizeevent:null,_orientationevent:null,_calculatedzindex:!1,initializer:function(){var t;this.get("render")&&!this.get("rendered")&&this.render(),this.makeResponsive(),this.after("visibleChange",this.visibilityChanged,this),this.get("center")&&this.centerDialogue(),this.get("modal")&&this.plug(e.M.core.LockScroll),t=this.get("boundingBox"),e.Array.each(this.get("extraClasses"),t.addClass,t),this.get("visible")&&this.applyZIndex(),this.on("maskShow",this.applyZIndex),this.get("visible")&&(this.show(),this.keyDelegation())},applyZIndex:function(){var t=1,n=1,r=this.get("boundingBox"),i=this.get("maskNode"),s=this.get("zIndex");s!==0&&!this._calculatedzindex?r.setStyle("zIndex",s):(e.all(p+", "+d+", "+v).each(function(e){var n=this.findZIndex(e);n>t&&(t=n)},this),n=(t+1).toString(),r.setStyle("zIndex",n),this.set("zIndex",n),this.get("modal")&&i.setStyle("zIndex",n),this._calculatedzindex=!0)},findZIndex:function(e){var t=e.getStyle("zIndex")||e.ancestor().getStyle("zIndex");return t?parseInt(t,10):0},visibilityChanged:function(t){var n,r;t.attrName==="visible"&&(this.get("maskNode").addClass(a.LIGHTBOX),t.prevVal&&!t.newVal&&(r=this.get("boundingBox"),this._resizeevent&&(this._resizeevent.detach(),this._resizeevent=null),this._orientationevent&&(this._orientationevent.detach(),this._orientationevent=null),r.detach("key",this.keyDelegation)),!t.prevVal&&t.newVal&&(this.applyZIndex(),this.makeResponsive(),this.shouldResizeFullscreen()||this.get("draggable")&&(n="#"+this.get("id")+" ."+a.HEADER,this.plug(e.Plugin.Drag,{handles:[n]}),e.one(n).setStyle("cursor","move")),this.keyDelegation()),this.get("center")&&!t.prevVal&&t.newVal&&this.centerDialogue())},makeResponsive:function(){var t=this.get("boundingBox"),n;this.shouldResizeFullscreen()?(t.addClass(c),t.setStyles({left:null,top:null,width:null,height:null,right:null,bottom:null}),n=e.one("#"+this.get("id")+" ."+a.BODY)):this.get("responsive")&&(t.removeClass(c).setStyles({width:this.get("width"),height:this.get("height")}),n=e.one("#"+this.get("id")+" ."+a.BODY))},centerDialogue:function(){var t=this.get("boundingBox"),n=t.hasClass(h),r,i;if(this.shouldResizeFullscreen())return;n&&t.setStyle("top","-1000px").removeClass(h),r=Math.max(Math.round((t.get("winWidth")-t.get("offsetWidth"))/2),15),i=Math.max(Math.round((t.get("winHeight")-t.get("offsetHeight"))/2),15)+e.one(window).get("scrollTop"),t.setStyles({left:r,top:i}),n&&t.addClass(h)},shouldResizeFullscreen:function(){return window===window.parent&&this.get("responsive")&&Math.floor(e.one(document.body).get("winWidth"))<this.get("responsiveWidth")},show:function(){var e=null,t=this.headerNode,n=this.bodyNode;return e=l.superclass.show.call(this),this.lockScroll&&this.lockScroll.enableScrollLock(this.shouldResizeFullscreen()),t&&t!==""?t.focus():n&&n!==""&&n.focus(),e},hide:function(e){if(e&&e.type==="key"&&e.keyCode===27&&!this.get("focused"))return;return this.lockScroll&&this.lockScroll.disableScrollLock(),l.superclass.hide.call(this,arguments)},keyDelegation:function(){var e=this.get("boundingBox");e.delegate("key",function(e){var t=e.target,n="forward";e.shiftKey&&(n="backward"),this.trapFocus(t,n)&&e.preventDefault()},"down:9",m,this)},trapFocus:function(e,t){var n=this.get("boundingBox"),r=n.one(m),i=n.all(m).pop();if(e===i&&t==="forward")return r.focus();if(e===r&&t==="backward")return i.focus()}},{NAME:f,CSS_PREFIX:n,ATTRS:{notificationBase:{},lightbox:{validator:e.Lang.isBoolean,value:!0},closeButton:{validator:e.Lang.isBoolean,value:!0},closeButtonTitle:{validator:e.Lang.isString,value:M.util.get_string("closebuttontitle","moodle")},center:{validator:e.Lang.isBoolean,value:!0},draggable:{validator:e.Lang.isBoolean,value:!1},COUNT:{value:null},responsive:{validator:e.Lang.isBoolean,value:!0},responsiveWidth:{value:768},extraClasses:{value:[]}}}),M.core.dialogue=l},"@VERSION@",{requires:["base","node","panel","escape","event-key","dd-plugin","moodle-core-lockscroll"]});

lib/yui/build/moodle-core-notification-exception/moodle-core-notification-exception-debug.js+6 −5 modified

@@ -75,13 +75,14 @@ Y.extend(EXCEPTION, M.core.dialogue, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-exception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('message')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('message'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> ' +
-                        this.get('fileName')+'</div>'))
+                        Y.Escape.html(this.get('fileName'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> ' +
-                        this.get('lineNumber')+'</div>'))
+                        Y.Escape.html(this.get('lineNumber'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
                         this.get('stack')+'</pre></div>'));
         if (M.cfg.developerdebug) {
@@ -163,7 +164,7 @@ Y.extend(EXCEPTION, M.core.dialogue, {
          */
         stack : {
             setter : function(str) {
-                var lines = str.split("\n"),
+                var lines = Y.Escape.html(str).split("\n"),
                     pattern = new RegExp('^(.+)@('+M.cfg.wwwroot+')?(.{0,75}).*:(\\d+)$'),
                     i;
                 for (i in lines) {

lib/yui/build/moodle-core-notification-exception/moodle-core-notification-exception.js+6 −5 modified

@@ -75,13 +75,14 @@ Y.extend(EXCEPTION, M.core.dialogue, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-exception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('message')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('message'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> ' +
-                        this.get('fileName')+'</div>'))
+                        Y.Escape.html(this.get('fileName'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> ' +
-                        this.get('lineNumber')+'</div>'))
+                        Y.Escape.html(this.get('lineNumber'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
                         this.get('stack')+'</pre></div>'));
         if (M.cfg.developerdebug) {
@@ -163,7 +164,7 @@ Y.extend(EXCEPTION, M.core.dialogue, {
          */
         stack : {
             setter : function(str) {
-                var lines = str.split("\n"),
+                var lines = Y.Escape.html(str).split("\n"),
                     pattern = new RegExp('^(.+)@('+M.cfg.wwwroot+')?(.{0,75}).*:(\\d+)$'),
                     i;
                 for (i in lines) {

lib/yui/build/moodle-core-notification-exception/moodle-core-notification-exception-min.js+1 −1 modified

@@ -1 +1 @@
-YUI.add("moodle-core-notification-exception",function(e,t){var n,r,i,s,o,u,a;n="moodle-dialogue",r="notificationBase",i="yesLabel",s="noLabel",o="title",u="question",a={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},M.core=M.core||{};var f="Moodle exception",l;l=function(t){var n=e.mix({},t);n.width=n.width||M.cfg.developerdebug?Math.floor(e.one(document.body).get("winWidth")/3)+"px":null,n.closeButton=!0;var r=["message","name","fileName","lineNumber","stack"];e.Array.each(r,function(e){n[e]=t[e]}),l.superclass.constructor.apply(this,[n])},e.extend(l,M.core.dialogue,{_hideTimeout:null,_keypress:null,initializer:function(t){var n,i=this,s=this.get("hideTimeoutDelay");this.get(r).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+t.COUNT+'-header-text">'+t.name+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-exception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+this.get("message")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> '+this.get("fileName")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> '+this.get("lineNumber")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+this.get("stack")+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),s&&(this._hideTimeout=setTimeout(function(){i.hide()},s)),this.after("visibleChange",this.visibilityChanged,this),this.after("destroyedChange",function(){this.get(r).remove()},this),this._keypress=e.on("key",this.hide,window,"down:13,27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){this._keypress&&this._keypress.detach();var t=this;setTimeout(function(){t.destroy()},1e3)}}},{NAME:f,CSS_PREFIX:n,ATTRS:{message:{value:""},name:{value:""},fileName:{value:""},lineNumber:{value:""},stack:{setter:function(e){var t=e.split("\n"),n=new RegExp("^(.+)@("+M.cfg.wwwroot+")?(.{0,75}).*:(\\d+)$"),r;for(r in t)t[r]=t[r].replace(n,"<div class='stacktrace-line'>ln: $4</div><div class='stacktrace-file'>$3</div><div class='stacktrace-call'>$1</div>");return t.join("")},value:""},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),M.core.exception=l},"@VERSION@",{requires:["moodle-core-notification-dialogue"]});
+YUI.add("moodle-core-notification-exception",function(e,t){var n,r,i,s,o,u,a;n="moodle-dialogue",r="notificationBase",i="yesLabel",s="noLabel",o="title",u="question",a={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},M.core=M.core||{};var f="Moodle exception",l;l=function(t){var n=e.mix({},t);n.width=n.width||M.cfg.developerdebug?Math.floor(e.one(document.body).get("winWidth")/3)+"px":null,n.closeButton=!0;var r=["message","name","fileName","lineNumber","stack"];e.Array.each(r,function(e){n[e]=t[e]}),l.superclass.constructor.apply(this,[n])},e.extend(l,M.core.dialogue,{_hideTimeout:null,_keypress:null,initializer:function(t){var n,i=this,s=this.get("hideTimeoutDelay");this.get(r).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+t.COUNT+'-header-text">'+e.Escape.html(t.name)+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-exception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+e.Escape.html(this.get("message"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> '+e.Escape.html(this.get("fileName"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> '+e.Escape.html(this.get("lineNumber"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+this.get("stack")+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),s&&(this._hideTimeout=setTimeout(function(){i.hide()},s)),this.after("visibleChange",this.visibilityChanged,this),this.after("destroyedChange",function(){this.get(r).remove()},this),this._keypress=e.on("key",this.hide,window,"down:13,27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){this._keypress&&this._keypress.detach();var t=this;setTimeout(function(){t.destroy()},1e3)}}},{NAME:f,CSS_PREFIX:n,ATTRS:{message:{value:""},name:{value:""},fileName:{value:""},lineNumber:{value:""},stack:{setter:function(t){var n=e.Escape.html(t).split("\n"),r=new RegExp("^(.+)@("+M.cfg.wwwroot+")?(.{0,75}).*:(\\d+)$"),i;for(i in n)n[i]=n[i].replace(r,"<div class='stacktrace-line'>ln: $4</div><div class='stacktrace-file'>$3</div><div class='stacktrace-call'>$1</div>");return n.join("")},value:""},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),M.core.exception=l},"@VERSION@",{requires:["moodle-core-notification-dialogue"]});

lib/yui/src/notification/js/ajaxexception.js+6 −4 modified

@@ -30,15 +30,16 @@ Y.extend(AJAXEXCEPTION, M.core.dialogue, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-ajaxexception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('error')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('error'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> ' +
                         this.get('reproductionlink')+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> ' +
-                        this.get('debuginfo')+'</div>'))
+                        Y.Escape.html(this.get('debuginfo'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
-                        this.get('stacktrace')+'</pre></div>'));
+                        Y.Escape.html(this.get('stacktrace'))+'</pre></div>'));
         if (M.cfg.developerdebug) {
             content.all('.moodle-exception-param').removeClass('hidden');
         }
@@ -111,6 +112,7 @@ Y.extend(AJAXEXCEPTION, M.core.dialogue, {
         reproductionlink : {
             setter : function(link) {
                 if (link !== null) {
+                    link = Y.Escape.html(link);
                     link = '<a href="'+link+'">'+link.replace(M.cfg.wwwroot, '')+'</a>';
                 }
                 return link;

lib/yui/src/notification/js/exception.js+6 −5 modified

@@ -46,13 +46,14 @@ Y.extend(EXCEPTION, M.core.dialogue, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-exception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('message')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('message'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> ' +
-                        this.get('fileName')+'</div>'))
+                        Y.Escape.html(this.get('fileName'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> ' +
-                        this.get('lineNumber')+'</div>'))
+                        Y.Escape.html(this.get('lineNumber'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
                         this.get('stack')+'</pre></div>'));
         if (M.cfg.developerdebug) {
@@ -134,7 +135,7 @@ Y.extend(EXCEPTION, M.core.dialogue, {
          */
         stack : {
             setter : function(str) {
-                var lines = str.split("\n"),
+                var lines = Y.Escape.html(str).split("\n"),
                     pattern = new RegExp('^(.+)@('+M.cfg.wwwroot+')?(.{0,75}).*:(\\d+)$'),
                     i;
                 for (i in lines) {

lib/yui/src/notification/meta/notification.json+1 −0 modified

@@ -13,6 +13,7 @@
         "base",
         "node",
         "panel",
+        "escape",
         "event-key",
         "dd-plugin",
         "moodle-core-lockscroll"

53ca351f7af8

MDL-45471 javascript: Escape content of exception dialogs

https://github.com/moodle/moodleFrederic MassartMay 8, 2014via ghsa

commit

12 files changed · +42 −30

lib/yui/build/moodle-core-notification-ajaxexception/moodle-core-notification-ajaxexception-debug.js+6 −4 modified

@@ -59,15 +59,16 @@ Y.extend(AJAXEXCEPTION, M.core.notification.info, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-ajaxexception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('error')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('error'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> ' +
                         this.get('reproductionlink')+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> ' +
-                        this.get('debuginfo')+'</div>'))
+                        Y.Escape.html(this.get('debuginfo'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
-                        this.get('stacktrace')+'</pre></div>'));
+                        Y.Escape.html(this.get('stacktrace'))+'</pre></div>'));
         if (M.cfg.developerdebug) {
             content.all('.moodle-exception-param').removeClass('hidden');
         }
@@ -140,6 +141,7 @@ Y.extend(AJAXEXCEPTION, M.core.notification.info, {
         reproductionlink : {
             setter : function(link) {
                 if (link !== null) {
+                    link = Y.Escape.html(link);
                     link = '<a href="'+link+'">'+link.replace(M.cfg.wwwroot, '')+'</a>';
                 }
                 return link;

lib/yui/build/moodle-core-notification-ajaxexception/moodle-core-notification-ajaxexception.js+6 −4 modified

@@ -59,15 +59,16 @@ Y.extend(AJAXEXCEPTION, M.core.notification.info, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-ajaxexception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('error')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('error'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> ' +
                         this.get('reproductionlink')+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> ' +
-                        this.get('debuginfo')+'</div>'))
+                        Y.Escape.html(this.get('debuginfo'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
-                        this.get('stacktrace')+'</pre></div>'));
+                        Y.Escape.html(this.get('stacktrace'))+'</pre></div>'));
         if (M.cfg.developerdebug) {
             content.all('.moodle-exception-param').removeClass('hidden');
         }
@@ -140,6 +141,7 @@ Y.extend(AJAXEXCEPTION, M.core.notification.info, {
         reproductionlink : {
             setter : function(link) {
                 if (link !== null) {
+                    link = Y.Escape.html(link);
                     link = '<a href="'+link+'">'+link.replace(M.cfg.wwwroot, '')+'</a>';
                 }
                 return link;

lib/yui/build/moodle-core-notification-ajaxexception/moodle-core-notification-ajaxexception-min.js+1 −1 modified

@@ -1 +1 @@
-YUI.add("moodle-core-notification-ajaxexception",function(e,t){var n,r,i,s,o,u,a;n="moodle-dialogue",r="notificationBase",i="yesLabel",s="noLabel",o="title",u="question",a={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},M.core=M.core||{};var f="Moodle AJAX exception",l;l=function(e){e.name=e.name||"Error",e.closeButton=!0,l.superclass.constructor.apply(this,[e])},e.extend(l,M.core.notification.info,{_keypress:null,initializer:function(t){var n,i=this,s=this.get("hideTimeoutDelay");this.get(r).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+this.get("COUNT")+'-header-text">'+t.name+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-ajaxexception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+this.get("error")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> '+this.get("reproductionlink")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> '+this.get("debuginfo")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+this.get("stacktrace")+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),s&&(this._hideTimeout=setTimeout(function(){i.hide()},s)),this.after("visibleChange",this.visibilityChanged,this),this._keypress=e.on("key",this.hide,window,"down:13, 27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){var t=this;this._keypress.detach(),setTimeout(function(){t.destroy()},1e3)}}},{NAME:f,CSS_PREFIX:n,ATTRS:{error:{validator:e.Lang.isString,value:M.util.get_string("unknownerror","moodle")},debuginfo:{value:null},stacktrace:{value:null},reproductionlink:{setter:function(e){return e!==null&&(e='<a href="'+e+'">'+e.replace(M.cfg.wwwroot,"")+"</a>"),e},value:null},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),M.core.ajaxException=l},"@VERSION@",{requires:["moodle-core-notification-dialogue"]});
+YUI.add("moodle-core-notification-ajaxexception",function(e,t){var n,r,i,s,o,u,a;n="moodle-dialogue",r="notificationBase",i="yesLabel",s="noLabel",o="title",u="question",a={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},M.core=M.core||{};var f="Moodle AJAX exception",l;l=function(e){e.name=e.name||"Error",e.closeButton=!0,l.superclass.constructor.apply(this,[e])},e.extend(l,M.core.notification.info,{_keypress:null,initializer:function(t){var n,i=this,s=this.get("hideTimeoutDelay");this.get(r).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+this.get("COUNT")+'-header-text">'+e.Escape.html(t.name)+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-ajaxexception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+e.Escape.html(this.get("error"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> '+this.get("reproductionlink")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> '+e.Escape.html(this.get("debuginfo"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+e.Escape.html(this.get("stacktrace"))+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),s&&(this._hideTimeout=setTimeout(function(){i.hide()},s)),this.after("visibleChange",this.visibilityChanged,this),this._keypress=e.on("key",this.hide,window,"down:13, 27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){var t=this;this._keypress.detach(),setTimeout(function(){t.destroy()},1e3)}}},{NAME:f,CSS_PREFIX:n,ATTRS:{error:{validator:e.Lang.isString,value:M.util.get_string("unknownerror","moodle")},debuginfo:{value:null},stacktrace:{value:null},reproductionlink:{setter:function(t){return t!==null&&(t=e.Escape.html(t),t='<a href="'+t+'">'+t.replace(M.cfg.wwwroot,"")+"</a>"),t},value:null},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),M.core.ajaxException=l},"@VERSION@",{requires:["moodle-core-notification-dialogue"]});

lib/yui/build/moodle-core-notification-dialogue/moodle-core-notification-dialogue-debug.js+1 −0 modified

@@ -676,6 +676,7 @@ M.core.notification.info = INFO;
         "base",
         "node",
         "panel",
+        "escape",
         "event-key",
         "dd-plugin",
         "moodle-core-widget-focusafterclose",

lib/yui/build/moodle-core-notification-dialogue/moodle-core-notification-dialogue.js+1 −0 modified

@@ -674,6 +674,7 @@ M.core.notification.info = INFO;
         "base",
         "node",
         "panel",
+        "escape",
         "event-key",
         "dd-plugin",
         "moodle-core-widget-focusafterclose",

lib/yui/build/moodle-core-notification-dialogue/moodle-core-notification-dialogue-min.js+1 −1 modified

@@ -1,2 +1,2 @@
 YUI.add("moodle-core-notification-dialogue",function(e,t){var n,r,i,s,o,u,a;n="moodle-dialogue",r="notificationBase",i="yesLabel",s="noLabel",o="title",u="question",a={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},M.core=M.core||{};var f="Moodle dialogue",l,c=n+"-fullscreen",h=n+"-hidden",p=" [role=dialog]",d="[role=menubar]",v=".moodle-has-zindex",m='input:not([type="hidden"]), a[href], button, textarea, select, [tabindex]';l=function(t){var n=e.clone(t);n.COUNT=e.stamp(this);var r="moodle-dialogue-"+n.COUNT;n.notificationBase=e.Node.create('<div class="'+a.BASE+'">').append(e.Node.create('<div id="'+r+'" role="dialog" aria-labelledby="'+r+'-header-text" class="'+a.WRAP+'"></div>').append(e.Node.create('<div id="'+r+'-header-text" class="'+a.HEADER+' yui3-widget-hd"></div>')).append(e.Node.create('<div class="'+a.BODY+' yui3-widget-bd"></div>')).append(e.Node.create('<div class="'+a.FOOTER+' yui3-widget-ft"></div>'))),e.one(document.body).append(n.notificationBase),n.additionalBaseClass&&n.notificationBase.addClass(n.additionalBaseClass),n.srcNode="#"+r,n.closeButton===!1?n.buttons=null:n.buttons=[{section:e.WidgetStdMod.HEADER,classNames:"closebutton",action:function(){this.hide()}}],l.superclass.constructor.apply(this,[n]),n.closeButton!==!1&&this.get("buttons").header[0].setAttribute("title",this.get("closeButtonTitle"))},e.extend(l,e.Panel,{_resizeevent:null,_orientationevent:null,_calculatedzindex:!1,initializer:function(){var t;this.get("render")&&this.render(),this.makeResponsive(),this.after("visibleChange",this.visibilityChanged,this),this.get("center")&&this.centerDialogue(),this.get("modal")&&this.plug(e.M.core.LockScroll),t=this.get("boundingBox"),e.Array.each(this.get("extraClasses"),t.addClass,t),this.get("visible")&&this.applyZIndex(),this.on("maskShow",this.applyZIndex),this.get("visible")&&(this.show(),this.keyDelegation()),this.after("destroyedChange",function(){this.get(r).remove(!0)},this)},applyZIndex:function(){var t=1,n=1,r=this.get("boundingBox"),i=this.get("maskNode"),s=this.get("zIndex");s!==0&&!this._calculatedzindex?r.setStyle("zIndex",s):(e.all(p+", "+d+", "+v).each(function(e){var n=this.findZIndex(e);n>t&&(t=n)},this),n=(t+1).toString(),r.setStyle("zIndex",n),this.set("zIndex",n),this.get("modal")&&i.setStyle("zIndex",n),this._calculatedzindex=!0)},findZIndex:function(e){var t=e.getStyle("zIndex")||e.ancestor().getStyle("zIndex");return t?parseInt(t,10):0},visibilityChanged:function(t){var n,r;t.attrName==="visible"&&(this.get("maskNode").addClass(a.LIGHTBOX),t.prevVal&&!t.newVal&&(r=this.get("boundingBox"),this._resizeevent&&(this._resizeevent.detach(),this._resizeevent=null),this._orientationevent&&(this._orientationevent.detach(),this._orientationevent=null),r.detach("key",this.keyDelegation)),!t.prevVal&&t.newVal&&(this.applyZIndex(),this.makeResponsive(),this.shouldResizeFullscreen()||this.get("draggable")&&(n="#"+this.get("id")+" ."+a.HEADER,this.plug(e.Plugin.Drag,{handles:[n]}),e.one(n).setStyle("cursor","move")),this.keyDelegation()),this.get("center")&&!t.prevVal&&t.newVal&&this.centerDialogue())},makeResponsive:function(){var t=this.get("boundingBox"),n;this.shouldResizeFullscreen()?(t.addClass(c),t.setStyles({left:null,top:null,width:null,height:null,right:null,bottom:null}),n=e.one("#"+this.get("id")+" ."+a.BODY)):this.get("responsive")&&(t.removeClass(c).setStyles({width:this.get("width"),height:this.get("height")}),n=e.one("#"+this.get("id")+" ."+a.BODY))},centerDialogue:function(){var t=this.get("boundingBox"),n=t.hasClass(h),r,i;if(this.shouldResizeFullscreen())return;n&&t.setStyle("top","-1000px").removeClass(h),r=Math.max(Math.round((t.get("winWidth")-t.get("offsetWidth"))/2),15),i=Math.max(Math.round((t.get("winHeight")-t.get("offsetHeight"))/2),15)+e.one(window).get("scrollTop"),t.setStyles({left:r,top:i}),n&&t.addClass(h)},shouldResizeFullscreen:function(){return window===window.parent&&this.get("responsive")&&Math.floor(e.one(document.body).get("winWidth"))<this.get("responsiveWidth")},show:function(){var e=null,t=this.headerNode,n=this.bodyNode,r=this.get("focusOnShowSelector"),i=null;return e=l.superclass.show.call(this),this.lockScroll&&this.lockScroll.enableScrollLock(this.shouldResizeFullscreen()),r!==null&&(i=this.get("boundingBox").one(r)),i||(t&&t!==""?i=t:n&&n!==""&&(i=n)),i&&i.focus(),e},hide:function(e){if(e&&e.type==="key"&&e.keyCode===27&&!this.get("focused"))return;return this.lockScroll&&this.lockScroll.disableScrollLock(),l.superclass.hide.call(this,arguments)},keyDelegation:function(){var e=this.get("boundingBox");e.delegate("key",function(e){var t=e.target,n="forward";e.shiftKey&&(n="backward"),this.trapFocus(t,n)&&e.preventDefault()},"down:9",m,this)},trapFocus:function(e,t){var n=this.get("boundingBox"),r=n.one(m),i=n.all(m).pop();if(e===i&&t==="forward")return r.focus();if(e===r&&t==="backward")return i.focus()}},{NAME:f,CSS_PREFIX:n,ATTRS:{notificationBase:{},lightbox:{lazyAdd:!1,setter:function(e){this.set("modal",e)}},closeButton:{validator:e.Lang.isBoolean,value:!0},closeButtonTitle:{validator:e.Lang.isString,value:M.util.get_string("closebuttontitle","moodle")},center:{validator:e.Lang.isBoolean,value:!0},draggable:{validator:e.Lang.isBoolean,value:!1},COUNT:{value:null},responsive:{validator:e.Lang.isBoolean,value:!0},responsiveWidth:{value:768},focusOnShowSelector:{value:null}}}),e.Base.modifyAttrs(l,{width:{value:"400px",setter:function(e){return e==="auto"?"":e}},visible:{value:!1},centered:{setter:function(e){return e&&this.set("center",!0),!1}},render:{value:!0,writeOnce:!0},extraClasses:{value:[]}}),e.Base.mix(l,[e.M.core.WidgetFocusAfterHide]),M.core.dialogue=l;var g=function(){g.superclass.constructor.apply(this,arguments)};e.extend(g,M.core.dialogue,{},{NAME:"Moodle information dialogue",CSS_PREFIX:n}),e.Base.modifyAttrs(g,
-{visible:{value:!0},modal:{validator:e.Lang.isBoolean,value:!0}}),M.core.notification=M.core.notification||{},M.core.notification.info=g},"@VERSION@",{requires:["base","node","panel","event-key","dd-plugin","moodle-core-widget-focusafterclose","moodle-core-lockscroll"]});
+{visible:{value:!0},modal:{validator:e.Lang.isBoolean,value:!0}}),M.core.notification=M.core.notification||{},M.core.notification.info=g},"@VERSION@",{requires:["base","node","panel","escape","event-key","dd-plugin","moodle-core-widget-focusafterclose","moodle-core-lockscroll"]});

lib/yui/build/moodle-core-notification-exception/moodle-core-notification-exception-debug.js+6 −5 modified

@@ -75,13 +75,14 @@ Y.extend(EXCEPTION, M.core.notification.info, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-exception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('message')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('message'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> ' +
-                        this.get('fileName')+'</div>'))
+                        Y.Escape.html(this.get('fileName'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> ' +
-                        this.get('lineNumber')+'</div>'))
+                        Y.Escape.html(this.get('lineNumber'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
                         this.get('stack')+'</pre></div>'));
         if (M.cfg.developerdebug) {
@@ -162,7 +163,7 @@ Y.extend(EXCEPTION, M.core.notification.info, {
          */
         stack : {
             setter : function(str) {
-                var lines = str.split("\n"),
+                var lines = Y.Escape.html(str).split("\n"),
                     pattern = new RegExp('^(.+)@('+M.cfg.wwwroot+')?(.{0,75}).*:(\\d+)$'),
                     i;
                 for (i in lines) {

lib/yui/build/moodle-core-notification-exception/moodle-core-notification-exception.js+6 −5 modified

@@ -75,13 +75,14 @@ Y.extend(EXCEPTION, M.core.notification.info, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-exception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('message')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('message'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> ' +
-                        this.get('fileName')+'</div>'))
+                        Y.Escape.html(this.get('fileName'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> ' +
-                        this.get('lineNumber')+'</div>'))
+                        Y.Escape.html(this.get('lineNumber'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
                         this.get('stack')+'</pre></div>'));
         if (M.cfg.developerdebug) {
@@ -162,7 +163,7 @@ Y.extend(EXCEPTION, M.core.notification.info, {
          */
         stack : {
             setter : function(str) {
-                var lines = str.split("\n"),
+                var lines = Y.Escape.html(str).split("\n"),
                     pattern = new RegExp('^(.+)@('+M.cfg.wwwroot+')?(.{0,75}).*:(\\d+)$'),
                     i;
                 for (i in lines) {

lib/yui/build/moodle-core-notification-exception/moodle-core-notification-exception-min.js+1 −1 modified

@@ -1 +1 @@
-YUI.add("moodle-core-notification-exception",function(e,t){var n,r,i,s,o,u,a;n="moodle-dialogue",r="notificationBase",i="yesLabel",s="noLabel",o="title",u="question",a={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},M.core=M.core||{};var f="Moodle exception",l;l=function(t){var n=e.mix({},t);n.width=n.width||M.cfg.developerdebug?Math.floor(e.one(document.body).get("winWidth")/3)+"px":null,n.closeButton=!0;var r=["message","name","fileName","lineNumber","stack"];e.Array.each(r,function(e){n[e]=t[e]}),l.superclass.constructor.apply(this,[n])},e.extend(l,M.core.notification.info,{_hideTimeout:null,_keypress:null,initializer:function(t){var n,i=this,s=this.get("hideTimeoutDelay");this.get(r).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+t.COUNT+'-header-text">'+t.name+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-exception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+this.get("message")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> '+this.get("fileName")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> '+this.get("lineNumber")+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+this.get("stack")+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),s&&(this._hideTimeout=setTimeout(function(){i.hide()},s)),this.after("visibleChange",this.visibilityChanged,this),this._keypress=e.on("key",this.hide,window,"down:13,27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){this._keypress&&this._keypress.detach();var t=this;setTimeout(function(){t.destroy()},1e3)}}},{NAME:f,CSS_PREFIX:n,ATTRS:{message:{value:""},name:{value:""},fileName:{value:""},lineNumber:{value:""},stack:{setter:function(e){var t=e.split("\n"),n=new RegExp("^(.+)@("+M.cfg.wwwroot+")?(.{0,75}).*:(\\d+)$"),r;for(r in t)t[r]=t[r].replace(n,"<div class='stacktrace-line'>ln: $4</div><div class='stacktrace-file'>$3</div><div class='stacktrace-call'>$1</div>");return t.join("")},value:""},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),M.core.exception=l},"@VERSION@",{requires:["moodle-core-notification-dialogue"]});
+YUI.add("moodle-core-notification-exception",function(e,t){var n,r,i,s,o,u,a;n="moodle-dialogue",r="notificationBase",i="yesLabel",s="noLabel",o="title",u="question",a={BASE:"moodle-dialogue-base",WRAP:"moodle-dialogue-wrap",HEADER:"moodle-dialogue-hd",BODY:"moodle-dialogue-bd",CONTENT:"moodle-dialogue-content",FOOTER:"moodle-dialogue-ft",HIDDEN:"hidden",LIGHTBOX:"moodle-dialogue-lightbox"},M.core=M.core||{};var f="Moodle exception",l;l=function(t){var n=e.mix({},t);n.width=n.width||M.cfg.developerdebug?Math.floor(e.one(document.body).get("winWidth")/3)+"px":null,n.closeButton=!0;var r=["message","name","fileName","lineNumber","stack"];e.Array.each(r,function(e){n[e]=t[e]}),l.superclass.constructor.apply(this,[n])},e.extend(l,M.core.notification.info,{_hideTimeout:null,_keypress:null,initializer:function(t){var n,i=this,s=this.get("hideTimeoutDelay");this.get(r).addClass("moodle-dialogue-exception"),this.setStdModContent(e.WidgetStdMod.HEADER,'<h1 id="moodle-dialogue-'+t.COUNT+'-header-text">'+e.Escape.html(t.name)+"</h1>",e.WidgetStdMod.REPLACE),n=e.Node.create('<div class="moodle-exception"></div>').append(e.Node.create('<div class="moodle-exception-message">'+e.Escape.html(this.get("message"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> '+e.Escape.html(this.get("fileName"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> '+e.Escape.html(this.get("lineNumber"))+"</div>")).append(e.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>'+this.get("stack")+"</pre></div>")),M.cfg.developerdebug&&n.all(".moodle-exception-param").removeClass("hidden"),this.setStdModContent(e.WidgetStdMod.BODY,n,e.WidgetStdMod.REPLACE),s&&(this._hideTimeout=setTimeout(function(){i.hide()},s)),this.after("visibleChange",this.visibilityChanged,this),this._keypress=e.on("key",this.hide,window,"down:13,27",this),this.centerDialogue()},visibilityChanged:function(e){if(e.attrName==="visible"&&e.prevVal&&!e.newVal){this._keypress&&this._keypress.detach();var t=this;setTimeout(function(){t.destroy()},1e3)}}},{NAME:f,CSS_PREFIX:n,ATTRS:{message:{value:""},name:{value:""},fileName:{value:""},lineNumber:{value:""},stack:{setter:function(t){var n=e.Escape.html(t).split("\n"),r=new RegExp("^(.+)@("+M.cfg.wwwroot+")?(.{0,75}).*:(\\d+)$"),i;for(i in n)n[i]=n[i].replace(r,"<div class='stacktrace-line'>ln: $4</div><div class='stacktrace-file'>$3</div><div class='stacktrace-call'>$1</div>");return n.join("")},value:""},hideTimeoutDelay:{validator:e.Lang.isNumber,value:null}}}),M.core.exception=l},"@VERSION@",{requires:["moodle-core-notification-dialogue"]});

lib/yui/src/notification/js/ajaxexception.js+6 −4 modified

@@ -30,15 +30,16 @@ Y.extend(AJAXEXCEPTION, M.core.notification.info, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+this.get('COUNT')+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-ajaxexception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('error')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('error'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>URL:</label> ' +
                         this.get('reproductionlink')+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-debuginfo"><label>Debug info:</label> ' +
-                        this.get('debuginfo')+'</div>'))
+                        Y.Escape.html(this.get('debuginfo'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
-                        this.get('stacktrace')+'</pre></div>'));
+                        Y.Escape.html(this.get('stacktrace'))+'</pre></div>'));
         if (M.cfg.developerdebug) {
             content.all('.moodle-exception-param').removeClass('hidden');
         }
@@ -111,6 +112,7 @@ Y.extend(AJAXEXCEPTION, M.core.notification.info, {
         reproductionlink : {
             setter : function(link) {
                 if (link !== null) {
+                    link = Y.Escape.html(link);
                     link = '<a href="'+link+'">'+link.replace(M.cfg.wwwroot, '')+'</a>';
                 }
                 return link;

lib/yui/src/notification/js/exception.js+6 −5 modified

@@ -46,13 +46,14 @@ Y.extend(EXCEPTION, M.core.notification.info, {
             delay = this.get('hideTimeoutDelay');
         this.get(BASE).addClass('moodle-dialogue-exception');
         this.setStdModContent(Y.WidgetStdMod.HEADER,
-                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + config.name + '</h1>', Y.WidgetStdMod.REPLACE);
+                '<h1 id="moodle-dialogue-'+config.COUNT+'-header-text">' + Y.Escape.html(config.name) + '</h1>',
+                Y.WidgetStdMod.REPLACE);
         content = Y.Node.create('<div class="moodle-exception"></div>')
-                .append(Y.Node.create('<div class="moodle-exception-message">'+this.get('message')+'</div>'))
+                .append(Y.Node.create('<div class="moodle-exception-message">'+Y.Escape.html(this.get('message'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-filename"><label>File:</label> ' +
-                        this.get('fileName')+'</div>'))
+                        Y.Escape.html(this.get('fileName'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-linenumber"><label>Line:</label> ' +
-                        this.get('lineNumber')+'</div>'))
+                        Y.Escape.html(this.get('lineNumber'))+'</div>'))
                 .append(Y.Node.create('<div class="moodle-exception-param hidden param-stacktrace"><label>Stack trace:</label> <pre>' +
                         this.get('stack')+'</pre></div>'));
         if (M.cfg.developerdebug) {
@@ -133,7 +134,7 @@ Y.extend(EXCEPTION, M.core.notification.info, {
          */
         stack : {
             setter : function(str) {
-                var lines = str.split("\n"),
+                var lines = Y.Escape.html(str).split("\n"),
                     pattern = new RegExp('^(.+)@('+M.cfg.wwwroot+')?(.{0,75}).*:(\\d+)$'),
                     i;
                 for (i in lines) {

lib/yui/src/notification/meta/notification.json+1 −0 modified

@@ -13,6 +13,7 @@
         "base",
         "node",
         "panel",
+        "escape",
         "event-key",
         "dd-plugin",
         "moodle-core-widget-focusafterclose",

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

github.com/advisories/GHSA-f66h-6mj2-rwj2ghsaADVISORY
moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2014-3548ghsaADVISORY
openwall.com/lists/oss-security/2014/07/21/1nvdWEB
github.com/moodle/moodle/commit/166e18d7cbb36d58d08a2783edd98284d5a3b98aghsaWEB
github.com/moodle/moodle/commit/53ca351f7af8d80a0ff0aba27a1c278fb731d288ghsaWEB
github.com/moodle/moodle/commit/6eb787b873f5d3718dc8a74f798ee528d600d8feghsaWEB
github.com/moodle/moodle/commit/a1ae35173b54ed0c2c3736dfa78cad9899a55d4eghsaWEB
web.archive.org/web/20200228161543/http://www.securityfocus.com/bid/68766ghsaWEB
www.securityfocus.com/bid/68766nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000