Great bug on table c_quiz_answer
As the field "answer" on table "c_quiz_answer" is defined as TEXT, and any user (from the wysiwyg editor) can copy and paste images to a test, and those images are inserted inside de html code of that answer as BASE64 encoded image, if you upload a big image, the code will result on a XSS security hole!
One of our teachers has experienced this problem and this makes the test VEEERY inestable.
This could be simply fixed changing the table field to LONGTEXT instead of just TEXT. This was tested by me and fully functional now!
A collateral damage of this fix could be database fragmentation, so a less-simpler fix could be modifying the posted base64 images and decode them from HTML code in BASE64 to the original image and store those images in a specific folder. This way, database would be un-fragmented.
This is the mysql code for this table on database:
CREATE or replace table `c_quiz_answer` (
`c_id` int(11) NOT NULL,
`id` int(10) unsigned NOT NULL,
`id_auto` int(11) NOT NULL AUTO_INCREMENT,
`question_id` int(10) unsigned NOT NULL,
`answer` longtext NOT NULL,
`correct` mediumint(8) unsigned DEFAULT NULL,
`ponderation` float(6,2) NOT NULL DEFAULT '0.00',
`position` mediumint(8) unsigned NOT NULL DEFAULT '1',
`hotspot_type` enum('square','circle','poly','delineation','oar') DEFAULT NULL,
`destination` text NOT NULL,
`answer_code` char(10) DEFAULT '',
PRIMARY KEY (`c_id`,`id_auto`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
To update just the database for this change, you should run this code on mysql with chamilo already installed:
alter table c_quiz_answer modify column answer longtext NOT NULL;
You should keep in mind that the installation script should be changed, in order to allow this issue to be propagated to the upcomming installations from other people.
Updated by Julio Montoya over 7 years ago
- Assignee deleted (
- Priority changed from Immediate to Normal
- Target version changed from 1.9.8 to 2.0
That change is fine for me it will be included in Chamilo 1.10 (database changes are not allowed for chamilo 1.9.x)
I'm also descending the priority because Chamilo could work fine using the images with the fckeditor tool.
PS: Please don't assign to any specific developer.
Updated by Miguel José Amez Riendas over 7 years ago
I've been checking code and the problem is on the answer.class.php class on the updates.
I didn't have the last changes from master on testing server and updates were failing! Fixed it and now it works!
Consider this as closed when you finish testing.