Fix a potential XSS vulnerability in the past answers table (the Answer Log). (hotfix) #2762
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
drgrice1
changed the title
taniwallach
previously approved these changes
Jul 3, 2025
Member
taniwallach
left a comment
taniwallach
left a comment
There was a problem hiding this comment.
I tested the change in the WW 2.20 branch, and it fixes the XSS issue and handles the special delimiter nicely.
I do think the hotfix is warranted.
…er Log). If MathQuill is enabled and a student types `"<script>alert(1);</script>` and submits the answer, then that script is executed if an instructor views the answer on the past answers page. If MathQuill is not enabled, and a student simply enters `<script>alert(1);</script>` the same thing happens. This is due to a change in openwebwork#1899 to make the special character `&openwebwork#1970;` used to separate array answers (usually coming from checkbox answers) display correctly. To fix this better handling of answers with that character is needed. So this splits the student answers on that character, and now DOES html escape all other parts of the student answer again, but directly inserts the `⍮` characters without escaping. The effect is that answers will still be displayed the same as they were before other than scripts in the answer. Those will now actually appear as text. Note that is the same as it would have been before openwebwork#1899.
drgrice1
force-pushed
the
past-answer-xss-hotfix
branch
from
510a434 to
f53500a
Compare
pstaabp
approved these changes
Jul 8, 2025
dlglin
approved these changes
Jul 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If MathQuill is enabled and a student types
"<script>alert(1);</script>and submits the answer, then that script is executed if an instructor views the answer on the past answers page. If MathQuill is not enabled, and a student simply enters<script>alert(1);</script>the same thing happens.This is due to a change in #1899 to make the special character
޲used to separate array answers (usually coming from checkbox answers) display correctly.To fix this better handling of answers with that character is needed. So this splits the student answers on that character, and now DOES html escape all other parts of the student answer again, but directly inserts the
⍮characters without escaping. The effect is that answers will still be displayed the same as they were before other than scripts in the answer. Those will now actually appear as text. Note that is the same as it would have been before #1899.I am suggesting this as a hotfix since this affects webwork 2.19 and was introduced in the version of webwork2. So we might as well fix this for all affected versions since that is as far back as this goes.