Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
14.6-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
Create an element with attribute /onmouseover="alert('XSS1')" in XWiki syntax, e.g., [[Link1>>https://XWiki.example.com||/onmouseover="alert('XSS1')"]].
Expected result:
When hovering the link, no alert is displayed as the attribute is not supported in XWiki syntax.
Actual result:
An alert is displayed when moving the mouse over the link.
The reason for this is that while the attribute is detected as being okay by the HTML sanitizer, the XHTML printer just adds the prefix data-xwiki-translated-attribute- and prints the attribute nevertheless, which is enough for a successful attack as there is no further validation that the attribute contains only valid characters but the browser interprets / as a separator between two attributes and thus sees a separate onmouseover-attribute.
The affects version is the version in which the prefixing and the attribute validation was introduced as before that version, absolutely no validation was performed on attributes.
Attachments
Issue Links
- links to