Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4875

Security issue: Arbitrary HTML code can be used in comments

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • 2.2 RC1, 2.3 M1
    • Authentication
    • None
    • Linux, Jetty + HSQLDB
    • security, xss
    • Unknown

    Description

      An unprivileged user with "Comment" rights can insert malicious JavaScript into comments using html macros or other unsafe features like (% style="..." onmouseover="<insert your script here>" %). Such scripts are executed with the rights of the user once he views the comment.

      Example:

      {{html}}<script>alert("blah")</script>{{/html}}

      IMO there is no reason to allow any unsafe Wiki syntax features in comments.

      Attachments

        Issue Links

          depends on

          Task - A task that needs to be done. XWIKI-7878 Add a 'restricted' parameter to transformation context to enable a safe rendering mode

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-2107 Comments XSS vulnerability

          • Major - Major loss of function.
          • Closed

          Activity

            People

              aj Andreas Jonsson
              nickless Alex Busenius
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: