[jira] [Updated] (JSPWIKI-1109) ReferredPagesPlugin with illegal characters in parameters causes XSS vulnerability

JIRA Wed, 29 May 2019 15:32:04 -0700


     [ 
https://issues.apache.org/jira/browse/JSPWIKI-1109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Juan Pablo Santos Rodríguez updated JSPWIKI-1109:
-------------------------------------------------
    Security:     (was: Security Vulnerability Disclosure)

> ReferredPagesPlugin with illegal characters in parameters causes XSS 
> vulnerability
> ----------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-1109
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-1109
>             Project: JSPWiki
>          Issue Type: Improvement
>            Reporter: brushed
>            Priority: Minor
>             Fix For: 2.11.0-M4
>
>
> Adding illegal characters (<...>) to some of the parameters of the 
> ReferredPagesPlugin  are not properly escaped in the output of the plugin.
> EG:
> {code}[{ReferredPagesPlugin page='"><svg onload=alert(/page_xss/)>' 
> type='local|external|attachment' depth='1..8' include='regexp"><svg 
> onload=alert(/include_xss/)>' exclude='regexp"><svg 
> onload=alert(/exclude_xss/)>'}]
> {code} 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (JSPWIKI-1109) ReferredPagesPlugin with illegal characters in parameters causes XSS vulnerability

Reply via email to