-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
7.5
-
Scope of this issue is to address two specific XSS vulnerabilies. The scope of fixing i18n parameters is tracked elsewhere. Please see the comment below for details.
(Original Description)
The ConfluenceActionSupport.getText method is annotated with @HtmlSafe, forcing the Velocity engine to skip HTML encoding of the methods response. The responsibility of HTML encoding is therefore placed on the caller.
There appears to be a common vulnerability in several velocity templates, that take a user controlled variable and pass it as an argument to the getText method without encoding, leading to XSS vulnerabilities.
Two such examples are:
#if ($justAdded) #applyDecorator("warning" "") $action.getText("added.exclusion.feedback", [$justAdded, "$req.contextPath/admin/purgesinglereferrer.action?referrer=$justAdded", "$req.contextPath/admin/purgereferrers.action"]) #end #end
<fieldset class="group"> <legend><span>$action.getText("office.connector.docimport.whereto"):</span></legend> <div class="radio"> <input type="radio" id="newpage" class="radio flip-delete" name="importSpace" value="true" checked> <label for="newpage">$action.getText("office.connector.docimport.whereto.space", [$pageTitle])</label> </div> <div class="radio"> <input type="radio" id="overwritepage" class="radio flip-delete" name="importSpace" value="false"> <label for="overwritepage">$action.getText("office.connector.docimport.whereto.page", [$pageTitle])</label> </div> <div class="checkbox" id="deletealldiv"> <input class="delete-all checkbox" type="checkbox" id="deleteall" name="overwriteAll" value="true" disabled> <label for="deleteall" id="deletealllabel" class="cannot-execute">$action.getText("office.connector.docimport.whereto.delete", [$pageTitle])<label> </div> </fieldset>
It's recommended all callers of the getText() method require HTML encoding of user controlled parameters.
- mentioned in
-
Wiki Page Loading...
