Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
3.3-milestone-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
As any user (without script/programming right) insert
{{html wiki="true"}}~{~{~/~h~t~m~l~}~}~ ~{~{~c~a~c~h~e~}~}~{~{~g~r~o~o~v~y~}~}~p~r~i~n~t~l~n~(~1~)~{~{~/~g~r~o~o~v~y~}~}~{~{~/~c~a~c~h~e~}~}~{{/html}}
in the about section of the user profile (use the source view of the editor).
Expected result:
The text
{{/html}} {{cache}}{{groovy}}println(1){{/groovy}}{{/cache}}
is displayed in the about section of the user profile.
Actual result:
The text 1</p> followed by raw HTML is displayed.
This demonstrates that the HTML renderer produced a closing HTML macro syntax. Following up on XWIKI-7894, this shouldn't be possible. This is still possible because { is only escaped in regular content but not in raw blocks which are produced by the HTML macro. Due to possible breakages when using the wrong escaping, e.g., inside script-tags or HTML comments, we need to be careful to only escape the minimum, which is a) the full
{{/html}}
inside the content, and b) any prefix of {/html}} at the end of a raw block as this can be continued to a full
{{/html}}
with another raw block or also plain content before/after it.
While it is not nice to escape for HTML macros in the XHTML output, it fixes actual security issues as the one demonstrated above in both XWiki itself and extensions and it is consistent with what has already been implemented as part of XWIKI-7894.
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
- links to