Uploaded image for project: 'XWiki Commons'
  1. XWiki Commons
  2. XCOMMONS-2828

$escapetool.html doesn't escape {, allowing XWiki syntax injection

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      Write $escapetool.html('{') in Velocity code.

      Expected result:

      The { is escaped.

      Actual result:

      The character { is printed as-is. This is unexpected as since XWIKI-7894, $escapetool.xml escapes {. This causes security vulnerabilities like XWIKI-21438 - I'm thus classifying it the same.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-21438 Remote code execution from view right on Panels.PanelLayoutUpdate

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              pjeanjean Pierre Jeanjean
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: