Security patch for edit_chapter xss lint issues

Hello all,

We have released a patch (which is attached to this email) for cross-site scripting (XSS) vulnerability in edx-platform edit chapter page.

Affected repo: edx-platform
Branches: Ironwood, master

Without this patch, it was possible to execute scripts if they are present in error messages in edit chapter page, as a result, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser.

We advise you to patch your instances as soon as possible; We have merged the fix to our public repo. Let us know if you have any questions.

Thank you,

Ali Akbar
Sustaining Mavericks

ironwood_xss_lint.patch (907 Bytes)


Thank you for the update but there is no attachment to the email I received. Am I missing something?

1 Like

I’m sorry about that. I’ve edited the post and attached the patch with it.


Thanks @Ali_Akbar for this announcement. As of now, the patch has not landed in ironwood.master (currently at 1b3b4d0). It’s much more convenient to pull a patch from a git repo than from a discourse post – could someone please merge it?


I’ve cherry-picked this and two other recent XSS fixes to Ironwood.