[CONFSERVER-13451] XSS bug in wiki markup link rendering - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: High
Resolution: Fixed
Affects Version/s: 2.7, 2.8, 2.9
Fix Version/s: 2.10
Component/s: None
Labels:
- affects-server
- editor
- qa-manual
- renderer
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

The following wikimarkup creates links with an onclick event.

[test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')]
[test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')]

This is due to the following code in ConfluenceLinkResolver at line 319 (ish)

// in private boolean isUrlLink(String textWithoutTitle)

        if (textWithoutTitle.startsWith("mailto:") || textWithoutTitle.startsWith("file:"))
        {
            return true;
        }
        else
        {
            // URLs don't strictly allow single quote characters, but we want to allow one
            String encodedText = textWithoutTitle.replaceAll("'","");
            boolean isUrl = UrlUtils.verifyHierachicalURI(encodedText);
            return isUrl;
        }

I haven't checked how far back this actually goes, but I suspect it's a long way.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

atlassian-renderer-3.18.1.jar
203 kB
05/Nov/2008 4:25 AM
atlassian-renderer-3.19.1.jar
208 kB
05/Nov/2008 4:25 AM

Issue Links

is related to

CONFSERVER-3086 Hyperlink other protocols (e.g. notes://) automatically

Closed

Activity

People

Assignee:: David Taylor (Inactive)

Reporter:: Don Willis

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 20/Oct/2008 8:13 AM

Updated:: 11/Oct/2018 9:01 AM

Resolved:: 13/Nov/2008 6:12 AM