[JSPWIKI-1109] ReferredPagesPlugin with illegal characters in parameters causes XSS vulnerability - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.11.0-M4
Component/s: None
Labels:
None

Description

Adding illegal characters (<...>) to some of the parameters of the ReferredPagesPlugin are not properly escaped in the output of the plugin.

EG:

[{ReferredPagesPlugin page='"><svg onload=alert(/page_xss/)>' type='local|external|attachment' depth='1..8' include='regexp"><svg onload=alert(/include_xss/)>' exclude='regexp"><svg onload=alert(/exclude_xss/)>'}]

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Dirk Frederickx

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Apr/19 16:51

Updated:: 29/May/19 22:30

Resolved:: 29/May/19 22:30