Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
2.2 RC1, 2.3 M1
-
None
-
Linux, Jetty + HSQLDB
-
security, xss
-
Unknown
-
Description
An unprivileged user with "Comment" rights can insert malicious JavaScript into comments using html macros or other unsafe features like (% style="..." onmouseover="<insert your script here>" %). Such scripts are executed with the rights of the user once he views the comment.
Example:
{{html}}<script>alert("blah")</script>{{/html}}
IMO there is no reason to allow any unsafe Wiki syntax features in comments.
Attachments
Issue Links
- depends on
-
XWIKI-7878 Add a 'restricted' parameter to transformation context to enable a safe rendering mode
- Closed
- duplicates
-
XWIKI-2107 Comments XSS vulnerability
- Closed