Uploaded image for project: 'XWiki Commons'
  1. XWiki Commons
  2. XCOMMONS-2606

HTML element sanitizer accepts invalid data attributes, allowing XSS

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to Reproduce:

      Add the attribute data-x/onmouseover="alert('XSS1')" to any element like a link: [[Link1>>https://XWiki.example.com||data-x/onmouseover="alert('XSS1')"]].

      Expected Result:

      The attribute is rejected by the sanitizer and no alert is displayed when moving the mouse over the link.

      Actual Result:

      The attribute is accepted by the sanitizer and an alert is displayed when moving the mouse over the link.

      Note that restricted cleaning in the HTMLCleaner is not affected by this vulnerability as HTMLCleaner properly parses data-x/onmouseover as two different attributes, or in other words, this cannot be exploited through the HTML macro.

      Attachments

        Issue Links

          links to

          Web Link GitHub Security advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: