Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
3.4-milestone-1
Description
Reproduction steps:
- Login as admin
- Go to URL http://localhost:8080/xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain)
- Click "No"
Expected result:
- You're redirected to the Sandbox page
Obtained result:
- you see an alert
This shows that it's possible to exploit this kind of URL for XSS.
Note that this issue might be mitigated by the fact that this feature is not used anymore in XS, so it could be surprising to request an admin to go there. Now it's still a feature bundled so it could be exploited.
Attachments
Issue Links
- depends on
-
XWIKI-20583 Provide a macro for sanitizing URLs in templates
- Closed
- is caused by
-
XWIKI-6687 Be able to delete a space from the UI
- Closed