Details
-
Bug
-
Resolution: Fixed
-
Medium
-
5.6.3
-
None
-
6
-
Description
I got the following email from Ulrich Kuhnhardt <ulrich@comalatech.com>
While we were doing some testing with XSS for the shiny new Publishing plugin we found that the velocity renderer does not escape $space.name
To reproduce
Create a space with name '><script>alert('bang')</script>css'
Create a user macro ’simple-space-name' in confluence admin with template ‘$space.name’
make a page in your xss space with contentUnknown macro: {simple-space-name}I thought I let you know - shouldn’t be so easy to get an alert on the screen after rendering?
Happens to rendered .vm from plugins too of course, that’s how we found it in the first place.
The space name is escaped everywhere else and as per https://developer.atlassian.com/display/CONFDEV/Enabling+XSS+Protection+in+Plugins I did expect this to happen with $space.name as well.Didn’t create an issue or posted to answers in case this smells.