Loading...

XML

Word

Printable

Details

Type: Improvement
Resolution: Fixed
Priority: Major
Fix Version/s: 16.6.0-rc-1, 16.4.1, 15.10.12
Affects Version/s: 15.10.9
Component/s: Realtime
Labels:

Tests:

Integration
Difficulty:
Unknown
Documentation:
https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor/#HScriptMacros
Documentation in Release Notes:
N/A
Similar issues:

Description

Starting with ~~XWIKI-21767~~ a change in a macro parameter / content triggers a re-rendering of the macro output for each participant. This creates a security vulnerability: a user without script rights will be able to execute scripts if any other participant has script right because whatever script macro they insert will be executed automatically by the rest of the users.

In order to fix this we could:

prevent users with different script/programming level enter the same realtime WYSIWYG editing session
or prevent the execution of script macros during a realtime WYSIWYG editing session (but this will remove the WYSIWYG aspect).

Attachments

Issue Links

blocks

XWIKI-22128 Enable realtime editing for the WYSIWYG editor by default

Closed

depends on

XWIKI-21767 Dynamic macros are not properly synchronized

Closed

XCOMMONS-3052 Add support for implementing Netflux channel bots as components

Closed

XWIKI-22222 Add the concept of "request effective author"

Closed

is duplicated by

XWIKI-22777 Privilege Escalation via Realtime Collaboration

Closed

Activity

People

Assignee:: Marius Dumitru Florea

Reporter:: Marius Dumitru Florea

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 27/Feb/24 13:56

Updated:: 2 days ago 15:04

Resolved:: 02/Jul/24 16:45