Details
-
Improvement
-
Resolution: Duplicate
-
Minor
-
None
-
2.2 RC1, 2.3 M1
-
security
-
Unknown
-
N/A
-
N/A
-
Description
XWiki allows any user to use all the power of Wiki syntax (especially HTML and JavaScript) almost everywhere, which makes it very flexible, but also vulnerable to various stored XSS attacks. For example, a user A that is only allowed to edit one page can insert a malicious script that will silently edit any other page he likes (or give A administrative rights) once another user B with higher privileges views the malicious page.
I suggest to add an additional "HTML" access right that would allow the use of html macros (including features like parametrized paragraphs using (% style="..." onmouseover="<enter your script here>" %), custom image style using [[image:img.png||onload="<enter your script here>"]] etc.). This would allow to preserve the full flexibility where it is needed (trusted users) and allow untrusted users to edit or comment some pages (e.g. blog) using safe subset of Wiki syntax.
Attachments
Issue Links
- duplicates
-
XWIKI-9118 XSS in restricted context via html macro
- Closed