Uploaded image for project: 'JSPWiki'
  1. JSPWiki
  2. JSPWIKI-1109

ReferredPagesPlugin with illegal characters in parameters causes XSS vulnerability

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.11.0-M4
    • Component/s: None
    • Labels:
      None

      Description

      Adding illegal characters (<...>) to some of the parameters of the ReferredPagesPlugin  are not properly escaped in the output of the plugin.

      EG:

      [{ReferredPagesPlugin page='"><svg onload=alert(/page_xss/)>' type='local|external|attachment' depth='1..8' include='regexp"><svg onload=alert(/include_xss/)>' exclude='regexp"><svg onload=alert(/exclude_xss/)>'}]
      

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              brushed brushed
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: