Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
1.8
-
Unit
-
High
-
Unknown
-
N/A
-
N/A
-
Description
The RSS macro (enabled by default) allows to inject arbitrary HTML code including JavaScript into the output.
Steps to reproduce:
- Edit the user profile
- Click on the "+" icon, select "Other Macros", type "RSS" and select the RSS Macro
- Enter https://xssrss.blogspot.com/feeds/posts/default?alt=rss as feed URL and check the "Content" checkbox. In XWiki syntax (2.0), the syntax is:
{{rss feed="https://xssrss.blogspot.com/feeds/posts/default?alt=rss" content="true" /}}
- Click "Submit" to insert the macro
- Click "Save and view"
Expected result:
No scripts are executed.
Actual result:
An alert with content "1" is displayed.
This issue is caused by XWIKI-3344 and thus reproducible since XWiki 1.8 (when using XWiki syntax 2.0, which is available but not default). Note that until XWIKI-4096 (XWiki 2.0 M2) the content has been wrapped in a HTML macro instead of a raw block but this doesn't prevent the attack.
Attachments
Issue Links
- is caused by
-
-
- Closed
-
- links to