Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22038

XSS through conflict resolution still reproducible

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Fix
    • Blocker
    • None
    • 16.2.0
    • Web - Templates & Resources
    • Windows 11 Pro, Firefox 124, using a local instance of XWiki 16.2.0 on Tomcat 9.0.87, MariaDB 11.3
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. Login as Admin
      2. Edit a page, add some text, but do not save
      3. Login as an user without script right in another browser or in Incognito mode
      4. Edit the same document (force the edit on warning), add <script>alert('XSS')</script> in the content and delete some existing text to cause a conflict
      5. Save the page
      6. As Admin, save the page as well
      7. On the conflict window, select "Fix each conflict individually"

      Expected result:

      The conflict window is displayed, but without an alert.

      Actual result:

      An alert with content "XSS" is displayed.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-21626 XSS through conflict resolution

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              MichaelHamann Michael Hamann
              iandriuta Ilie Andriuta
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: