Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4875

Security issue: Arbitrary HTML code can be used in comments

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • 2.2 RC1, 2.3 M1
    • Authentication
    • None
    • Linux, Jetty + HSQLDB
    • security, xss
    • Unknown

    Description

      An unprivileged user with "Comment" rights can insert malicious JavaScript into comments using html macros or other unsafe features like (% style="..." onmouseover="<insert your script here>" %). Such scripts are executed with the rights of the user once he views the comment.

      Example:

      {{html}}<script>alert("blah")</script>{{/html}}
      

      IMO there is no reason to allow any unsafe Wiki syntax features in comments.

      Attachments

        Issue Links

          Activity

            People

              aj Andreas Jonsson
              nickless Alex Busenius
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: