This XSS reflection security risk was discovered during the January 2013 FlossHack event and credited to Kevin Jacobs:
- module/reporting/indicators/manageDimensions.form (executes previously injected Dimension Name scripts)
- reporting/indicators/editCohortDefinitionDimension: name and description parameters. XSS
Expected behavior: Wherever a dimension name is outputted to the screen, it should be escaped (XML-escaped or JS-escaped, as relevant)
Observed behavior: If you put a <script> tag in the dimension name, the script will be executed on several pages.
(Surely this same vulnerability exists in other screens in the reporting module, so while doing this ticket, it would be nice to also fix screens related to other reporting definitions. Alternately, look at the screens for other definition types, and create a similar ticket for any vulnerabilities found.)