Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4740

Parser should filter (% style="background:url('javascript:badscript') %) because some browsers will execute such script.

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Duplicate
    • Minor
    • None
    • 2.1.1
    • Rendering
    • security xss javascript
    • Unknown

    Description

      I see no reason why a script should be used for generating a background (which only works in some browsers) and I think we should be filtering such script.
      Some browsers (IE and some versions of Safari) will run the javascript.
      Will still run if newlines are inserted:

      (% style="background:url('java
script:badscript') %)

      also runs.

      I consider it low priority until there is a mechanism for limiting which users have permission to invoke the html macro.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XRENDERING-663 XSS Javascript injection via XWiki 2.x syntax

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              surli Simon Urli
              calebjamesdelisle CalebJamesDeLisle
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: