Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19667

The move attachment form is missing escaping and some translations

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      moveStep1 is missing escaping and some translations

      See https://github.com/xwiki/xwiki-platform/blame/886b1cdde49d84c1a52f204a65782aae4eccdb86/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-api/src/main/resources/templates/attachment/moveStep1.vm#L110-L129

      This has also the consequence to lead to an xss (similar to XWIKI-19612).

      Reproduction steps:

      • On any page, upload an attachment named ><img src=1 onerror=alert(1)>.jpg
      • From the attachment pane, click on the move attachment action
      • An alert with the content 1 is shown to the user

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19844 The actor of an attachment move is not displayed properly in the final page

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-1657 Allow to rename and move attachments

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19612 XSS in the attachment history

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link Github Security advisory

          Activity

            People

              mleduc Manuel Leduc
              mleduc Manuel Leduc
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: