Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: 15.2-rc-1, 14.10.6
Affects Version/s: 9.6-rc-1
Component/s: Like, Mentions, Web - Templates & Resources
Labels:
None

Tests:

Unit
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

As a user with some HTML code in the name (like <script>alert(1)</script>), do some change on a document that is watched by another user. Additionally, set the title of the changed document to contain similar HTML code.
As the other user, click on the feed icon in the notifications area.

Expected result:

The user's name is displayed as entered as is the title of the changed document.

Actual result:

The text <script>alert(1)</script> isn't displayed in the content of the item unless you view the source, in which case you can see that the HTML code hasn't been escaped. This can break the formatting of the feed or might trigger security issues in the feed reader if it doesn't prevent JavaScript execution. Note that normally, feed readers shouldn't execute JavaScript that is contained in the feed's content as they should consider the feed's content as untrusted input so this is not a security issue in XWiki.

Attachments

Issue Links

causes

XWIKI-20964 xwiki-platform-web-templates is wrongly installed as a dependency of like notifications

Closed

is caused by

XWIKI-14289 Create an RSS feed for notifications

Closed

Activity

People

Assignee:: Michael Hamann

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 23/Feb/23 15:08

Updated:: 05/Jun/23 14:36

Resolved:: 27/Feb/23 11:27