Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-35090

Velocity XSS in $space.name

XMLWordPrintable

      I got the following email from Ulrich Kuhnhardt <ulrich@comalatech.com>

      While we were doing some testing with XSS for the shiny new Publishing plugin we found that the velocity renderer does not escape $space.name

      To reproduce
      Create a space with name '><script>alert('bang')</script>css'
      Create a user macro ’simple-space-name' in confluence admin with template ‘$space.name’
      make a page in your xss space with content

      Unknown macro: {simple-space-name}

      I thought I let you know - shouldn’t be so easy to get an alert on the screen after rendering?
      Happens to rendered .vm from plugins too of course, that’s how we found it in the first place.
      The space name is escaped everywhere else and as per https://developer.atlassian.com/display/CONFDEV/Enabling+XSS+Protection+in+Plugins I did expect this to happen with $space.name as well.

      Didn’t create an issue or posted to answers in case this smells.

          Form Name

            [CONFSERVER-35090] Velocity XSS in $space.name

            Don Willis made changes -
            Remote Link New: This issue links to "Page (Extranet)" [ 487767 ]
            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2889458 ] New: CONFSERVER Bug Workflow v4 [ 3000287 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2801420 ] New: JAC Bug Workflow v3 [ 2889458 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2731811 ] New: JAC Bug Workflow v2 [ 2801420 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2397092 ] New: JAC Bug Workflow [ 2731811 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 2294130 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2397092 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2230670 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 2294130 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2189028 ] New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2230670 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 1918810 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2189028 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v3 [ 1728635 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 1918810 ]

              vvo Vu Truong Vo (Inactive)
              jmasson@atlassian.com John Masson
              Affected customers:
              0 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: