Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
High
-
Resolution: Fixed
-
Affects Version/s: 2.7, 2.8, 2.9
-
Fix Version/s: 2.10
-
Component/s: None
-
Labels:
-
Bug Fix Policy:
Description
The following wikimarkup creates links with an onclick event.
[test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')] [test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')]
This is due to the following code in ConfluenceLinkResolver at line 319 (ish)
// in private boolean isUrlLink(String textWithoutTitle) if (textWithoutTitle.startsWith("mailto:") || textWithoutTitle.startsWith("file:")) { return true; } else { // URLs don't strictly allow single quote characters, but we want to allow one String encodedText = textWithoutTitle.replaceAll("'",""); boolean isUrl = UrlUtils.verifyHierachicalURI(encodedText); return isUrl; }
I haven't checked how far back this actually goes, but I suspect it's a long way.
Attachments
Issue Links
- is related to
-
CONFSERVER-3086 Hyperlink other protocols (e.g. notes://) automatically
- Closed