Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
14.6-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to Reproduce:
Add the attribute data-x/onmouseover="alert('XSS1')" to any element like a link: [[Link1>>https://XWiki.example.com||data-x/onmouseover="alert('XSS1')"]].
Expected Result:
The attribute is rejected by the sanitizer and no alert is displayed when moving the mouse over the link.
Actual Result:
The attribute is accepted by the sanitizer and an alert is displayed when moving the mouse over the link.
Note that restricted cleaning in the HTMLCleaner is not affected by this vulnerability as HTMLCleaner properly parses data-x/onmouseover as two different attributes, or in other words, this cannot be exploited through the HTML macro.
Attachments
Issue Links
- links to