Uploaded image for project: 'XWiki Commons'
  1. XWiki Commons
  2. XCOMMONS-2568

Restricted HTML filtering bypass (XSS) via HTML comments

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A
    • Pull Request accepted

    Description

      Steps to reproduce:

      Filter the input

      <!--> <Details Open OnToggle=confirm("XSS")>

      in restricted mode (in XWiki, e.g., put the code in an HTML macro as a user without script right or in a comment).

      Expected result:

      Either the ontoggle parameter is removed or the whole content is interpreted as a comment without starting <.

      Actual result:

      <!--> <Details Open OnToggle=confirm("XSS")>-->

      In the context of a browser a confirmation message "XSS" is displayed.

      The reason for this is that HtmlCleaner parses <!--> as the start of an HTML comment while browsers (correctly) parse this as an empty comment. The reason for this is that HTML comments must not start with >.

      This issue has also been reported to HtmlCleaner as bug 234.

      This security issue only exists since XWiki 14.6RC1 as only since XCOMMONS-1680 HTML attributes are actually filtered to prevent XSS.

      Attachments

        Issue Links

          causes

          Security - Security bug with confidential level XWIKI-20348 SXSS via source in text area

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link GitHub Security advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: