Details
-
Bug
-
Resolution: Fixed
-
Critical
-
7.4.2
-
High
-
Easy
-
N/A
-
N/A
-
Description
We don't allow scripts in actual comments, but we do when previewing a new comment. Worse, programming rights are also active, and CSRF is not checked.
The problem actually seems to be deeper, since the comment preview uses the /preview/ action.
Attachments
Issue Links
- relates to
-
XWIKI-16459 Display content in restricted mode
- Closed