Uploaded image for project: 'XWiki Rendering'
  1. XWiki Rendering
  2. XRENDERING-454

XSS vulnerabilities in XWiki syntax

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • None
    • None
    • None

    Description

      Both the native syntaxes for images and links enable for arbitrary javascript to be injected on the page:

      [[image:Click me!||onerror="javascript:alert('XSS')" onclick="javascript:alert('XSS')"]]

      [[Label >> https://jira.xwiki.org||onerror="javascript:alert('XSS')" onclick="javascript:alert('XSS')"]]

      How can we best sanitize page contents to avoid XSS exploits?
      Can we guarantee backwards compatibility with macros and extensions that rely on javascript being injected on the page?

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-8593 XSS in images and links using on* parameter.

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              mehdi.oulmakki mehdi oulmakki
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: