Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-9118

XSS in restricted context via html macro

    XMLWordPrintable

Details

    • High
    • Medium
    • N/A
    • N/A

    Description

      To reproduce, just put the following comment on any page :

      {{html}}
      <a href='' onclick='alert("xss")'>XSS</a>
      {{/html}}
      

      Comments are executed in a restricted context won which we disabled server side scripting for example, so it sounds equally necessary to filter out client side scripting.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              thomas_delafosse Thomas Delafosse
              Alex Busenius, Richard Curteis, Stuart Walker
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: