Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4818

XSS injection through usernames (firstname, lastname)

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.2 RC1, 2.1.2
    • 2.2 M2
    • {Unused} Core
    • None
    • XSS username
    • Unknown

    Description

      Test case:
      1. Sign up with this as your first name:
      <script>alert("hole");</script>
      2. edit some pages.
      3. logout.
      4. wander around the wiki and count the number of times you get the alert.

      Possible fix:
      XWiki.getUserName(String user, String format, boolean link, XWikiContext context)
      returns an html link if it can find the user object and we can reasonably assume that a link should not have html inside of it so we should be able to safely change the behaviour in cases where it is getting the link.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-4822 Using XML symbols (<, >, &) inside the user's name breaks various parts of the UI and causes the PDF export to throw exceptions

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              sdumitriu Sergiu Dumitriu
              calebjamesdelisle CalebJamesDeLisle
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: