Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5996

CSRF tokens can sometimes break the HTML and layout

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.0 M2
    • Fix Version/s: 2.7.1, 3.0 M3
    • Component/s: Other
    • Labels:
      None
    • Tests:
      Unit
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      They can contain underscores, and they can sometimes come in pairs, and that is the wiki syntax for underline. If the token happens to be in a block that is supposed to allow wiki syntax, which happens almost always, then the whole HTML gets broken, as in:

      <input name="form_token" type="hidden" value="M5"></input><del>40xQ_xNlw9am5bA9RA" /&gt;</del>
      

        Attachments

          Activity

            People

            • Assignee:
              nickless Alex Busenius
              Reporter:
              sdumitriu Sergiu Dumitriu
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response: