Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-13451

XSS bug in wiki markup link rendering

    XMLWordPrintable

    Details

      Description

      The following wikimarkup creates links with an onclick event.

      [test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')]
      [test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')]
      

      This is due to the following code in ConfluenceLinkResolver at line 319 (ish)

      // in private boolean isUrlLink(String textWithoutTitle)
      
              if (textWithoutTitle.startsWith("mailto:") || textWithoutTitle.startsWith("file:"))
              {
                  return true;
              }
              else
              {
                  // URLs don't strictly allow single quote characters, but we want to allow one
                  String encodedText = textWithoutTitle.replaceAll("'","");
                  boolean isUrl = UrlUtils.verifyHierachicalURI(encodedText);
                  return isUrl;
              }
      

      I haven't checked how far back this actually goes, but I suspect it's a long way.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dtaylor David Taylor (Inactive)
              Reporter:
              don.willis@atlassian.com Don Willis
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: