Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23378

Protection against HTML macro injection should be aligned with XHTML renderer

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      As part of XRENDERING-792 and XRENDERING-793, the protection against injecting HTML macros has been updated to also protect against opening HTML macros and closing HTML macros with spaces after the macro name. While this protection in the XHTML renderer should be sufficient to protect against the security risks, as part of XWIKI-20327, we've introduced similar protections in the XWikiDocument#display API. Those should be updated to also protect against the injections that were discovered and fixed in XRENDERING-792 and XRENDERING-793 as an extra safety net.

      At this moment, we're not aware of any possible attacks that would require this extra safety net. This is still marked as a security ticket to be disclosed together with XRENDERING-792 and XRENDERING-793 in order to keep the details of those issues confidential.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XRENDERING-792 Remote code execution through insufficient protection against {{/html}} injection

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XRENDERING-793 HTML rendering output cannot be used safely in an HTML macro

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: