Details
Description
I see no reason why a script should be used for generating a background (which only works in some browsers) and I think we should be filtering such script.
Some browsers (IE and some versions of Safari) will run the javascript.
Will still run if newlines are inserted:
(% style="background:url('java script:badscript') %)
also runs.
I consider it low priority until there is a mechanism for limiting which users have permission to invoke the html macro.
Attachments
Issue Links
- duplicates
-
XRENDERING-663 XSS Javascript injection via XWiki 2.x syntax
- Closed