From 776cc02ed8eca612343eaee150835d525a057e46 Mon Sep 17 00:00:00 2001 From: David McKain Date: Wed, 16 Apr 2014 21:03:06 +0100 Subject: [PATCH 1/6] Oops - this should never have been committed! --- .../java/uk/ac/ed/ph/jqtiplus/qtiv2utils.java | 296 ------------------ 1 file changed, 296 deletions(-) delete mode 100644 qtiworks-jqtiplus/src/main/java/uk/ac/ed/ph/jqtiplus/qtiv2utils.java diff --git a/qtiworks-jqtiplus/src/main/java/uk/ac/ed/ph/jqtiplus/qtiv2utils.java b/qtiworks-jqtiplus/src/main/java/uk/ac/ed/ph/jqtiplus/qtiv2utils.java deleted file mode 100644 index de83cd2ae..000000000 --- a/qtiworks-jqtiplus/src/main/java/uk/ac/ed/ph/jqtiplus/qtiv2utils.java +++ /dev/null @@ -1,296 +0,0 @@ -/* -Copyright (c) 2005-2007, University of Cambridge, University of Kingston upon Thames and Dr Graham Smith -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - -* Redistributions of source code must retain the above copyright notice, -this list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution. - -* Neither the name of the University of Cambridge nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS -IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER -OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -*/// lines added (//DT) for Desktoprenderer -//THIS WILL NOT AFFECT USE IN DEMO OR TEST SITE. - -package uk.ac.ed.ph.jqtiplus; - -//Miscellaneous methods - -public class qtiv2utils - { -// public static String formatVariable -// (final String theValue, String formatString, final String thebase) -// { -// final String conversionCodes = "EefGgoXx"; -// final String numbers = "0123456789"; -// final String floatconversions = "eEfgG"; -// String codeLetter = ""; -// final String widthCode = ""; -// final String precisionCode = ""; -// final int letterpos = -1; -// String output; -// double fltval = 0; -// int intval = 0; -// final char c ='|'; -// boolean suppresszeros = false; -// //System.out.println("FORMAT VARIABLE"); -// codeLetter = formatString.substring(formatString.length()-1); -// //System.out.println("CODE LETTER: " + codeLetter); -// if(conversionCodes.indexOf(codeLetter) < 0) -// { -// if -// ( -// (codeLetter.equals("r")) -// || -// (codeLetter.equals("R")) -// ) -// { -// //System.out.println("HANDLE rR"); -// output = formatR(formatString, theValue); -// } -// -// else if(codeLetter.equals("i")) -// { -// //System.out.println("HANDLE i"); -// output = formati(formatString, theValue, thebase); -// } -// else -// throw new gqtiexcept.XMLException("Unrecognised conversion code: '" + formatString + "'"); -// -// // With i or rR -// //System.out.println("FORMAT VARIABLE OUTPUT: " + output+ ":");//to do -// output = output.replace(" "," "); -// // System.out.println("FORMAT VARIABLE OUTPUT: " + output+ ":");//to do -// return output; -// } -// -// //standard handling -// //System.out.println("STANDARD FORMAT WITH . " + formatString); -// //System.out.println("Value " + theValue); -// //modify behaviour with g conversion codes with integers -// //and with # -// if -// ( -// (codeLetter.equals("g")) -// || -// (codeLetter.equals("G")) -// ) -// { -// if(theValue.indexOf(".") < 0) -// { -// //number is in fact an integer -// suppresszeros = true; -// //System.out.println(" SUPPRESS Zeros"); -// } -// if(formatString.indexOf("#") > -1) -// { -// formatString = formatString.replace("#",""); -// suppresszeros = false; -// } -// } -// -// if(floatconversions.indexOf(codeLetter) < 0) -// { -// intval = Integer.parseInt(theValue); -// output = String.format(formatString, intval); -// } -// else -// { -// fltval = Double.parseDouble(theValue); -// output = String.format(formatString, fltval); -// } -// -// //System.out.println(" FORMAT STRING: " + formatString); -// //System.out.println("FORMAT VARIABLE OUTPUT: " + output+ ":");//to do -// if(suppresszeros) -// if(output.indexOf(".0") > -1) -// output = output.substring(0, output.indexOf(".0")); -// output = output.replace(" "," "); -// //System.out.println("FORMAT VARIABLE OUTPUT: " + output+ ":");//to do -// return output; -// } -// -// -// public static String formati -// //Java does not handle i -// (String formatString, String theValue, final String thebase) -// { -// //System.out.println("FORMATi"); -// //System.out.println("theValue: "+ theValue); -// //System.out.println("formatString: "+ formatString); -// int base = 10; -// int theval; -// final int letterpos = -1; -// String output; -// final String numbers = "0123456789"; -// String precisionCode; -// double numericalvalue; -// char c; -// // detect if a precision is indicated; -// -// -// if (formatString.indexOf(".") > -1) -// {//treat as width specifier -// precisionCode = formatString.substring -// (formatString.indexOf(".") +1, formatString.length()-1); -// //System.out.println("PRECISION CODE" +precisionCode); -// final int widthVal = Integer.parseInt(precisionCode); -// //System.out.println("WIDTHVAL" + widthVal); -// c = theValue.charAt(0); // c is the sign char +, - or space -// //System.out.println("INIT char " + c); -// -// //Take off the sign char -// if(numbers.indexOf(c) < 0) -// theValue = theValue.substring(1); -// final int len = theValue.length(); -// numericalvalue = Float.parseFloat(theValue); -// //System.out.println("NUMERICAL VALUE" + numericalvalue); -// -// //Formatting zero with precision 0 gives no output -// if((numericalvalue==0)&&(widthVal==0)) -// { -// output = ""; -// return output; -// } -// -// //System.out.println("THE VALUE Length" + len); -// //Adjust width to the minimum -// if (widthVal > len) -// for(int z = 0; z < (widthVal-len); z++) -// theValue = "0" + theValue; -// if(numbers.indexOf(c) < 0) -// theValue = c + theValue; -// //System.out.println("THE New VALUE" + theValue); -// output = theValue; -// return output; -// }//if there is a "." -// -// //otherwise replace "i" with "d" and use normal Java -// formatString = formatString.replace("i","d"); -// //System.out.println("Modifed formatString: "+ formatString); -// if (! thebase .equals("")) -// base = Integer.parseInt(thebase); -// if (base!=10) -// { -//// theValue = MathHandler.base10toBasex(base, theValue); -// output = theValue; -// return output;//may have to do some formatting for base10 numbers -// } -// else -// { -// theval = Integer.parseInt(theValue); -// output = String.format(formatString, theval); -// return output; -// } -// } -// -// -//public static String formatR (String formatString, final String theValue) -// //Special handling required in QTI -// { -// char c ='|'; -// int noOfZeros = 0; -// String tempval; -// final String widthCode; -// final String precisionCode; -// String output; -// final String Integers; -// final int Integerlength; -// int z; -// double theval = 0; -// -// //System.out.println("HANDLE Rr"); -// //System.out.println("formatString: " + formatString); -// -// //find decimal part if the number is not integral -// //(not necessarily declared as float) -// -// //find number of zeros -// int pos = -1; -// if (theValue.indexOf(".") > -1) -// { -// String decimals = theValue.substring(theValue.indexOf(".") + 1); -// //System.out.println("The Value After Decimal point: " + decimals); -// for (z = 0; z < decimals.length(); z++) -// { -// c = decimals.charAt(z); -// //System.out.println("Char: " + c); -// if (c != '0') -// { -// pos = z; -// //System.out.println("OUT"); -// break; -// } -// noOfZeros ++; -// } -// -// //System.out.println("Number of zeros: " + noOfZeros); -// -// if(noOfZeros < 4)//can use normal Java g processing) -// { -// //System.out.println("No of Zeros less than 4 "); -// //System.out.println("Format String:" + formatString); -// theval = Double.parseDouble(theValue); -// formatString = formatString.replace("r","g").replace("R","G"); -// //System.out.println("Format String:" + formatString); -// output = String.format(formatString, theval); -// return output; -// } -// -// //System.out.println("No of Zeros more than 4 "); -// //Would normally use Scientific notation" -// //Manipulate g conversion allowing unlimited zeros -// if (pos > -1) -// { -// decimals = decimals.substring(pos); -// } -// decimals = "." + decimals; -// //System.out.println("Value stripped of zeros: " + decimals); -// theval = Double.parseDouble(decimals); -// //System.out.println("theval: " + theval); -// formatString = formatString.replace("r","g").replace("R","G"); -// tempval = String.format (formatString, theval); -// //System.out.println("tempval: " + tempval); -// tempval = tempval.substring(tempval.indexOf(".") + 1); -// //System.out.println("tempval after decimal point: " + tempval); -// //add back leading zeros -// for(z = 0; z < noOfZeros; z++) -// tempval = "0" + tempval; -// //System.out.println("tempval: " + tempval); -// tempval = "0." + tempval; -// return tempval; -// } -// -// // if there is no "." in value -// //can use normal Java g processing) -// //System.out.println("NO DECIMAL POINT"); -// theval = Double.parseDouble(theValue); -// formatString = formatString.replace("r","g"); -// formatString = formatString.replace("R","G"); -// output = String.format(formatString, theval); -// return output; -// } -// -// -// - -}//qtiv2utils From 1600ffa17b171ac117836f036e943aeb5c5594ba Mon Sep 17 00:00:00 2001 From: David McKain Date: Thu, 17 Apr 2014 13:38:47 +0100 Subject: [PATCH 2/6] Added extra debug logging to system user authn This can help diagnose issues with usernames & passwords. (The actual details are not shown to the end user for security reasons.) --- .../ph/qtiworks/web/authn/SystemUserAuthenticationServlet.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/qtiworks-engine/src/main/java/uk/ac/ed/ph/qtiworks/web/authn/SystemUserAuthenticationServlet.java b/qtiworks-engine/src/main/java/uk/ac/ed/ph/qtiworks/web/authn/SystemUserAuthenticationServlet.java index 4e1131ffa..c1b158b59 100644 --- a/qtiworks-engine/src/main/java/uk/ac/ed/ph/qtiworks/web/authn/SystemUserAuthenticationServlet.java +++ b/qtiworks-engine/src/main/java/uk/ac/ed/ph/qtiworks/web/authn/SystemUserAuthenticationServlet.java @@ -145,12 +145,14 @@ protected SystemUser tryAuthentication(final String loginName, final String pass final SystemUser user = systemUserDao.findByLoginName(loginName); final String badDetails = "Sorry, your login details were not correct. Please try again."; if (user==null) { + logger.debug("System User {} does not exist", loginName); errors.add(badDetails); return null; } /* Then check password */ final String passwordDigest = ServiceUtilities.computePasswordDigest(user.getPasswordSalt(), password); if (!passwordDigest.equals(user.getPasswordDigest())) { + logger.debug("Password mismatch for System User {}", loginName); errors.add(badDetails); return null; } From 9c731377f3a711ca61558c437a4dc7b90703e9f5 Mon Sep 17 00:00:00 2001 From: David McKain Date: Fri, 9 May 2014 08:58:26 +0100 Subject: [PATCH 3/6] XSS fix: unescaped var interpolation in login form There was unescaped variable interpolation in the login form, which could potentially cause an XSS exploit. This is now fixed. This form is a bit ancient and wasn't checked with the 'internal' JSPs when I checked for these types of problems last year. --- .../src/main/webapp/WEB-INF/jsp/login/systemUserLogin.jsp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/login/systemUserLogin.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/login/systemUserLogin.jsp index 5ef77afee..259246e9c 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/login/systemUserLogin.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/login/systemUserLogin.jsp @@ -25,7 +25,7 @@ All Rights Reserved
    -
  • ${e}
    • +
  • ${fn:escapeXml(e)}
    •
@@ -35,7 +35,7 @@ All Rights Reserved
- +
@@ -44,7 +44,7 @@ All Rights Reserved
- +
From fec9e75c331a1a398556ff5809529d2d7bf31008 Mon Sep 17 00:00:00 2001 From: David McKain Date: Mon, 12 May 2014 09:18:30 +0100 Subject: [PATCH 4/6] XSS: Further risky unescaped outputs in JSP Following from the last commit, an audit of the other JSP files revealed a few other potential risky unescaped outputs in JSP. These a fixed in this commit. --- .../jsp/views/instructor/createDeliveryForm.jsp | 2 +- .../jsp/views/instructor/editDeliveryForm.jsp | 2 +- .../jsp/views/instructor/showCandidateSession.jsp | 13 ++++++------- .../views/lti/instructor/showCandidateSession.jsp | 13 ++++++------- 4 files changed, 14 insertions(+), 16 deletions(-) diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/createDeliveryForm.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/createDeliveryForm.jsp index 2acda6544..34d325c04 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/createDeliveryForm.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/createDeliveryForm.jsp @@ -70,7 +70,7 @@ deliveryTemplate
  • ${fn:escapeXml(utils:trimSentence(ds.prompt, 200))}
    diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/editDeliveryForm.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/editDeliveryForm.jsp index 88ecf913b..3cd2a3dc9 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/editDeliveryForm.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/editDeliveryForm.jsp @@ -72,7 +72,7 @@ deliveryTemplate
  • ${fn:escapeXml(utils:trimSentence(ds.prompt, 200))}
    diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showCandidateSession.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showCandidateSession.jsp index f01babf04..4517f0d3f 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showCandidateSession.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showCandidateSession.jsp @@ -15,7 +15,6 @@ candidateEventSummaryDataList <%@ include file="/WEB-INF/jsp/includes/pageheader.jspf" %> -
    @@ -63,8 +62,8 @@ candidateEventSummaryDataList
    -
    LTI Result Outcome Variable (${candidateSessionSummaryMetadata.lisResultOutcomeIdentifier})
    -
    ${candidateSessionSummaryData.lisResultOutcomeValue}
    +
    LTI Result Outcome Variable (${fn:escapeXml(candidateSessionSummaryMetadata.lisResultOutcomeIdentifier)})
    +
    ${fn:escapeXml(candidateSessionSummaryData.lisResultOutcomeValue)}
    @@ -137,16 +136,16 @@ candidateEventSummaryDataList - ${candidateSessionSummaryMetadata.numericOutcomeIdentifiers[index]} - ${candidateSessionSummaryData.numericOutcomeValues[index]} + ${fn:escapeXml(candidateSessionSummaryMetadata.numericOutcomeIdentifiers[index])} + ${fn:escapeXml(candidateSessionSummaryData.numericOutcomeValues[index])} - ${candidateSessionSummaryMetadata.otherOutcomeIdentifiers[index]} - ${candidateSessionSummaryData.otherOutcomeValues[index]} + ${fn:escapeXml(candidateSessionSummaryMetadata.otherOutcomeIdentifiers[index])} + ${fn:escapeXml(candidateSessionSummaryData.otherOutcomeValues[index])} diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showCandidateSession.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showCandidateSession.jsp index 2aab2a18c..0283fcf16 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showCandidateSession.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showCandidateSession.jsp @@ -15,7 +15,6 @@ candidateEventSummaryDataList <%@ include file="/WEB-INF/jsp/includes/pageheader.jspf" %> -
    @@ -48,8 +47,8 @@ candidateEventSummaryDataList
    -
    LTI Result Outcome Variable (${candidateSessionSummaryMetadata.lisResultOutcomeIdentifier})
    -
    ${candidateSessionSummaryData.lisResultOutcomeValue}
    +
    LTI Result Outcome Variable (${fn:escapeXml(candidateSessionSummaryMetadata.lisResultOutcomeIdentifier)})
    +
    ${fn:escapeXml(candidateSessionSummaryData.lisResultOutcomeValue)}
    @@ -127,16 +126,16 @@ candidateEventSummaryDataList - ${candidateSessionSummaryMetadata.numericOutcomeIdentifiers[index]} - ${candidateSessionSummaryData.numericOutcomeValues[index]} + ${fn:escapeXml(candidateSessionSummaryMetadata.numericOutcomeIdentifiers[index])} + ${fn:escapeXml(candidateSessionSummaryData.numericOutcomeValues[index])} - ${candidateSessionSummaryMetadata.otherOutcomeIdentifiers[index]} - ${candidateSessionSummaryData.otherOutcomeValues[index]} + ${fn:escapeXml(candidateSessionSummaryMetadata.otherOutcomeIdentifiers[index])} + ${fn:escapeXml(candidateSessionSummaryData.otherOutcomeValues[index])} From 004478c1306882a8d01ad0c1874d77ae226610ed Mon Sep 17 00:00:00 2001 From: David McKain Date: Mon, 12 May 2014 09:20:17 +0100 Subject: [PATCH 5/6] Further minor defensive JSP improvements Following from the previous 2 XSS fixes, this commit adds further defensive output escaping to JSPs for values which do not _need_ escaping (such as enum constants, internally generated values, numbers). --- .../uk/ac/ed/ph/qtiworks/web/view/ElFunctions.java | 12 ++++++------ .../instructor/assessmentOutcomesSettingsForm.jsp | 2 +- .../jsp/views/instructor/listCandidateSessions.jsp | 8 ++++---- .../WEB-INF/jsp/views/instructor/showAssessment.jsp | 2 +- .../views/instructor/showCandidateSessionEvents.jsp | 1 - .../WEB-INF/jsp/views/instructor/showDelivery.jsp | 4 ++-- .../instructor/assessmentOutcomesSettingsForm.jsp | 2 +- .../views/lti/instructor/listCandidateSessions.jsp | 8 ++++---- .../jsp/views/lti/instructor/resourceDashboard.jsp | 2 +- .../jsp/views/lti/instructor/showAssessment.jsp | 2 +- .../lti/instructor/showCandidateSessionEvents.jsp | 1 - 11 files changed, 21 insertions(+), 23 deletions(-) diff --git a/qtiworks-engine/src/main/java/uk/ac/ed/ph/qtiworks/web/view/ElFunctions.java b/qtiworks-engine/src/main/java/uk/ac/ed/ph/qtiworks/web/view/ElFunctions.java index 942153f07..222e294d2 100644 --- a/qtiworks-engine/src/main/java/uk/ac/ed/ph/qtiworks/web/view/ElFunctions.java +++ b/qtiworks-engine/src/main/java/uk/ac/ed/ph/qtiworks/web/view/ElFunctions.java @@ -100,12 +100,6 @@ public static String formatDayDateAndTime(final Date time) { return time!=null ? ViewUtilities.getDayDateAndTimeFormat().format(time) : ""; } - public static String dumpObject(final Object object) { - return escapeXml(ObjectDumper.dumpObject(object, DumpMode.DEEP)); - } - - //------------------------------------------------- - /* NB: We prefer String over URI here as it's more general, and takes advantage of * stringification within the JSTL. */ @@ -144,6 +138,12 @@ public static String formatTestPlanNodeKey(final TestPlanNodeKey testPlanNodeKey return resultBuilder.toString(); } + //------------------------------------------------- + + public static String dumpObject(final Object object) { + return escapeXml(ObjectDumper.dumpObject(object, DumpMode.DEEP)); + } + private static String escapeXml(final String rawString) { return XmlEscapers.xmlContentEscaper().escape(rawString); } diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/assessmentOutcomesSettingsForm.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/assessmentOutcomesSettingsForm.jsp index dae41e98a..fc0fe182a 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/assessmentOutcomesSettingsForm.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/assessmentOutcomesSettingsForm.jsp @@ -56,7 +56,7 @@ outcomeDeclarationList
    - +
    diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/listCandidateSessions.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/listCandidateSessions.jsp index 5bb675378..7859425dd 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/listCandidateSessions.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/listCandidateSessions.jsp @@ -64,7 +64,7 @@ candidateSessionListRouting (xid -> action -> URL) - ${candidateSessionSummaryMetadata.lisResultOutcomeIdentifier} Value + ${fn:escapeXml(candidateSessionSummaryMetadata.lisResultOutcomeIdentifier)} Value Normalized Score Reporting Status @@ -84,7 +84,7 @@ candidateSessionListRouting (xid -> action -> URL) ${row.sessionId} - ${row.sessionStatusMessage} + @@ -92,8 +92,8 @@ candidateSessionListRouting (xid -> action -> URL) - ${row.lisScore} - ${row.lisReportingStatusMessage} + + (Not Available) diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showAssessment.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showAssessment.jsp index 957d49a02..d0a2c2abf 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showAssessment.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showAssessment.jsp @@ -112,7 +112,7 @@ Shows information about a particular Assessment
    - Reporting outcome ${assessment.ltiResultOutcomeIdentifier} + Reporting outcome ${fn:escapeXml(assessment.ltiResultOutcomeIdentifier)} with range [${assessment.ltiResultMinimum}..${assessment.ltiResultMaximum}] diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showCandidateSessionEvents.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showCandidateSessionEvents.jsp index e5bde4cd8..004bb7b54 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showCandidateSessionEvents.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showCandidateSessionEvents.jsp @@ -15,7 +15,6 @@ candidateEventSummaryDataList <%@ include file="/WEB-INF/jsp/includes/pageheader.jspf" %> -
    diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showDelivery.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showDelivery.jsp index 6de90a5d4..2aeca5346 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showDelivery.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/instructor/showDelivery.jsp @@ -121,8 +121,8 @@ Shows a Delivery

    • Launch URL: ${fn:escapeXml(deliveryRouting['ltiLaunch'])}
      • -
    • Key: ${delivery.id}X${delivery.ltiConsumerKeyToken}
      • -
    • Secret: ${delivery.ltiConsumerSecret}
      • +
    • Key: ${delivery.id}X${fn:escapeXml(delivery.ltiConsumerKeyToken)}
      • +
    • Secret: ${fn:escapeXml(delivery.ltiConsumerSecret)}
    diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/assessmentOutcomesSettingsForm.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/assessmentOutcomesSettingsForm.jsp index dda1509df..f7e3e9814 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/assessmentOutcomesSettingsForm.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/assessmentOutcomesSettingsForm.jsp @@ -52,7 +52,7 @@ outcomeDeclarationList
    - +
    diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/listCandidateSessions.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/listCandidateSessions.jsp index dcee6cbdc..6901d27a1 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/listCandidateSessions.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/listCandidateSessions.jsp @@ -56,7 +56,7 @@ candidateSessionListRouting (xid -> action -> URL) - ${candidateSessionSummaryMetadata.lisResultOutcomeIdentifier} Value + ${fn:escapeXml(candidateSessionSummaryMetadata.lisResultOutcomeIdentifier)} Value Normalized Score Reporting Status @@ -76,7 +76,7 @@ candidateSessionListRouting (xid -> action -> URL) ${row.sessionId} - ${row.sessionStatusMessage} + @@ -84,8 +84,8 @@ candidateSessionListRouting (xid -> action -> URL) - ${row.lisScore} - ${row.lisReportingStatusMessage} + + (Not Available) diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/resourceDashboard.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/resourceDashboard.jsp index 1cd112ee3..12ea09ecb 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/resourceDashboard.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/resourceDashboard.jsp @@ -105,7 +105,7 @@ LTI resource dashboard (after domain-level launch)
    - Reporting outcome ${thisAssessment.ltiResultOutcomeIdentifier} + Reporting outcome ${fn:escapeXml(thisAssessment.ltiResultOutcomeIdentifier)} with range [${thisAssessment.ltiResultMinimum}..${thisAssessment.ltiResultMaximum}] diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showAssessment.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showAssessment.jsp index c404894ee..76e0d8d9c 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showAssessment.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showAssessment.jsp @@ -111,7 +111,7 @@ Shows information about a particular Assessment
    - Reporting outcome ${assessment.ltiResultOutcomeIdentifier} + Reporting outcome ${fn:escapeXml(assessment.ltiResultOutcomeIdentifier)} with range [${assessment.ltiResultMinimum}..${assessment.ltiResultMaximum}] diff --git a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showCandidateSessionEvents.jsp b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showCandidateSessionEvents.jsp index e470a1818..8a6c71bd7 100644 --- a/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showCandidateSessionEvents.jsp +++ b/qtiworks-engine/src/main/webapp/WEB-INF/jsp/views/lti/instructor/showCandidateSessionEvents.jsp @@ -15,7 +15,6 @@ candidateEventSummaryDataList <%@ include file="/WEB-INF/jsp/includes/pageheader.jspf" %> -
    From ef70a97a657a685d9b24bf47ee76be63dc22b351 Mon Sep 17 00:00:00 2001 From: David McKain Date: Mon, 12 May 2014 10:07:46 +0100 Subject: [PATCH 6/6] Updated release notes for 1.0.0-beta7 release --- .../src/main/webapp/release-notes.jsp | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/qtiworks-engine/src/main/webapp/release-notes.jsp b/qtiworks-engine/src/main/webapp/release-notes.jsp index 7131b9632..b797c7333 100644 --- a/qtiworks-engine/src/main/webapp/release-notes.jsp +++ b/qtiworks-engine/src/main/webapp/release-notes.jsp @@ -12,6 +12,26 @@ All Rights Reserved

    QTIWorks Release Notes

    +

    Release 1.0-beta7 (12/05/2014)

    +

    + Security release. This fixes potential cross-site scripting (XSS) vulnerabilities + caused by a failure to escape user input in some instructor-facing JSP + pages, including the system user login page. +

    +

    + The public demo of QTIWorks has been + upgraded in conjunction with this release. All people running their own + QTIWorks installations are strongly encouraged to upgrade as soon as + possible. +

    +

    Issues resolved

    +
      +
    • + #45: XSS vulnerabilities + in some instructor interface pages. +
      • +
    +

    Release 1.0-beta6 (15/04/2014)

    This is hoped to be the final beta before a RC or final 1.0.0 release.