Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-35090

Velocity XSS in $space.name

    XMLWordPrintable

Details

    Description

      I got the following email from Ulrich Kuhnhardt <ulrich@comalatech.com>

      While we were doing some testing with XSS for the shiny new Publishing plugin we found that the velocity renderer does not escape $space.name

      To reproduce
      Create a space with name '><script>alert('bang')</script>css'
      Create a user macro ’simple-space-name' in confluence admin with template ‘$space.name’
      make a page in your xss space with content

      Unknown macro: {simple-space-name}

      I thought I let you know - shouldn’t be so easy to get an alert on the screen after rendering?
      Happens to rendered .vm from plugins too of course, that’s how we found it in the first place.
      The space name is escaped everywhere else and as per https://developer.atlassian.com/display/CONFDEV/Enabling+XSS+Protection+in+Plugins I did expect this to happen with $space.name as well.

      Didn’t create an issue or posted to answers in case this smells.

      Attachments

        Issue Links

          mentioned in

          Page Loading...

          relates to

          SCT-2147 Loading...

          Activity

            People

              vvo Vu Truong Vo (Inactive)
              jmasson@atlassian.com John Masson
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: