Details
-
Bug
-
Resolution: Solved By
-
Blocker
-
1.6 M1
-
High
-
Medium
-
N/A
-
N/A
-
Description
To reproduce, just put the following comment on any page :
{{html}} <a href='' onclick='alert("xss")'>XSS</a> {{/html}}
Comments are executed in a restricted context won which we disabled server side scripting for example, so it sounds equally necessary to filter out client side scripting.
Attachments
Issue Links
- depends on
-
XWIKI-18049 Improve the html escaping mechanism for XSS protection
- Closed
-
XCOMMONS-1680 Filter Html attributes in restricted mode based on a whitelist
- Closed
- is duplicated by
-
XWIKI-9147 Secure the HTML macro
- Closed
-
XWIKI-4874 Restrict unsafe HTML/JavaScript features of Wiki syntax to trusted users
- Closed
- is related to
-
XWIKI-7878 Add a 'restricted' parameter to transformation context to enable a safe rendering mode
- Closed
- relates to
-
XWIKI-18568 Multiple instances of stored cross-site scripting (XSS) via editor and HTML macro
- Closed
-
XWIKI-19514 XSS using a JSX object
- Closed
- links to