Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
3.3-milestone-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce.
1. As a user without script or programming right, in any extension page, add the following content in the description
{{async}}{{groovy}}println("Hello from Description"){{/groovy}}{{/async}}
2. Save or preview the extension page.
Expected result:
An error is displayed as the user doesn't have script or programming right.
Actual result:
"Hello from Description" is displayed without any error.
The same vulnerability also exists in the installation instructions. The summary is vulnerable with
}}}{{async}}{{groovy}}println("Hello from Summary"){{/groovy}}{{/async}}
and the icon with
]]{{async}}{{groovy}}println("Hello from Icon"){{/groovy}}{{/async}}
. Other fields might be vulnerable as well.
Attachments
Issue Links
- causes
-
XWIKI-22574 Extensions with a lot of xobjects became much slower to display when the content author is different from the metadata author
- Closed
- is caused by
-
XWIKI-7084 Improve XWiki Repository UI
- Closed
- links to