Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22759

No required right warnings about wiki syntax in the content macro's source parameter

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      As a user without script right, create a page with content:

      {{content source="string:{{velocity~}~}Evil content{{/velocity~}~}"}}{{/content}}

      As an admin user, edit the page.

      Expected result:

      There is a warning about the "Evil content" script.

      Actual result:

      There is no warning and after saving or after inserting a macro in the WYSIWYG editor, the "Evil content" script is executed.

      Additionally, the syntax that is specified in the syntax parameter isn't taken into consideration when analyzing the content macro's content.

      Attachments

        Issue Links

          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: