Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18049

Improve the html escaping mechanism for XSS protection

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Currently we always escape the xproperties to protect against XSS.

      A proposed solution to allow some users to define html content in a safe way is the following:

      require/check script right for anything that produces JavaScript code:

      • JSX (with "on this page")
      • HTML macro (the attributes and tags that can contain JavaScript should be filtered out at rendering time if the content author doesn't have script right)
      • wiki syntax parameters (% onclick="..." %)
      • etc.

      See the discussion https://matrix.to/#/!fSfTnnfYXenblSmDEe:matrix.xwiki.com/$uyLOqwtVEUspUoNHdM0tPmCk0y6DHZZqMCQ6UTCONKE?via=matrix.xwiki.com&via=matrix.org

       

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9118 XSS in restricted context via html macro

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. XRENDERING-663 XSS Javascript injection via XWiki 2.x syntax

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19514 XSS using a JSX object

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-17374 XSS Cross Site Scripting

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-18568 Multiple instances of stored cross-site scripting (XSS) via editor and HTML macro

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              surli Simon Urli
              mleduc Manuel Leduc
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: