Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
7.2-rc-1
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
Open <xwiki_host>/xwiki/bin/view/%22%20%2F%7D%7D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=FlamingoThemesCode.WebHome&xpage=view where <xwiki_host> is the URL of your XWiki installation.
Expected result:
An empty document tree is displayed.
Actual result:
The [documentTree] macro is a standalone macro and it cannot be used inline. Click on this message for details. Hello from groovy!.WebHome" /}}
is displayed. This shows that the Groovy macro that is passed in the URL has been executed and thus demonstrates a privilege escalation from view to programming rights. The root cause is that FlamingoThemesCode.WebHome prints $doc.documentReference without any escaping.
Attachments
Issue Links
- is caused by
-
XE-1497 Make the Home Page display in a nicer way for Nested Documents
-
- Closed
-
- links to