Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-13451

XSS bug in wiki markup link rendering

XMLWordPrintable

      The following wikimarkup creates links with an onclick event.

      [test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')]
      [test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')]
      

      This is due to the following code in ConfluenceLinkResolver at line 319 (ish)

      // in private boolean isUrlLink(String textWithoutTitle)
      
              if (textWithoutTitle.startsWith("mailto:") || textWithoutTitle.startsWith("file:"))
              {
                  return true;
              }
              else
              {
                  // URLs don't strictly allow single quote characters, but we want to allow one
                  String encodedText = textWithoutTitle.replaceAll("'","");
                  boolean isUrl = UrlUtils.verifyHierachicalURI(encodedText);
                  return isUrl;
              }
      

      I haven't checked how far back this actually goes, but I suspect it's a long way.

              dtaylor David Taylor (Inactive)
              don.willis@atlassian.com Don Willis
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: