Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-13365

Scripts are allowed in Comment previews

    XMLWordPrintable

Details

    • High
    • Easy
    • N/A
    • N/A

    Description

      We don't allow scripts in actual comments, but we do when previewing a new comment. Worse, programming rights are also active, and CSRF is not checked.

      The problem actually seems to be deeper, since the comment preview uses the /preview/ action.

      Attachments

        Issue Links

          Activity

            People

              surli Simon Urli
              sdumitriu Sergiu Dumitriu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: