[CONFSERVER-13451] XSS bug in wiki markup link rendering

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.10
Affects Version/s: 2.7, 2.8, 2.9
Component/s: None
Labels:
- affects-server
- editor
- qa-manual
- renderer
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

The following wikimarkup creates links with an onclick event.

[test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')]
[test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')]

This is due to the following code in ConfluenceLinkResolver at line 319 (ish)

// in private boolean isUrlLink(String textWithoutTitle)

        if (textWithoutTitle.startsWith("mailto:") || textWithoutTitle.startsWith("file:"))
        {
            return true;
        }
        else
        {
            // URLs don't strictly allow single quote characters, but we want to allow one
            String encodedText = textWithoutTitle.replaceAll("'","");
            boolean isUrl = UrlUtils.verifyHierachicalURI(encodedText);
            return isUrl;
        }

I haven't checked how far back this actually goes, but I suspect it's a long way.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

atlassian-renderer-3.18.1.jar
05/Nov/2008 4:25 AM
203 kB
Brian Nguyen
atlassian-renderer-3.19.1.jar
05/Nov/2008 4:25 AM
208 kB
Brian Nguyen

is related to

CONFSERVER-3086 Hyperlink other protocols (e.g. notes://) automatically

Closed

Katherine Yabut made changes - 13/Nov/2018 4:43 AM

Workflow

Original: JAC Bug Workflow v3 [ 2895006 ]

New: CONFSERVER Bug Workflow v4 [ 2987387 ]

Owen made changes - 11/Oct/2018 9:01 AM

Workflow	Original: JAC Bug Workflow v2 [ 2782752 ]	New: JAC Bug Workflow v3 [ 2895006 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:13 PM

Workflow

Original: JAC Bug Workflow [ 2707839 ]

New: JAC Bug Workflow v2 [ 2782752 ]

Owen made changes - 02/Jul/2018 6:45 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2372385 ]

New: JAC Bug Workflow [ 2707839 ]

Katherine Yabut made changes - 22/Jun/2017 6:44 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2298560 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2372385 ]

Katherine Yabut made changes - 31/May/2017 5:39 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2233382 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2298560 ]

Katherine Yabut made changes - 31/May/2017 5:00 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2194560 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2233382 ]

Katherine Yabut made changes - 31/May/2017 2:05 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1927635 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2194560 ]

Katherine Yabut made changes - 03/Apr/2017 3:58 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v3 [ 1728803 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 1927635 ]

Katherine Yabut made changes - 28/Feb/2017 6:34 AM

Workflow

Original: CONF Bug Subtask WF (TEMP) [ 1686096 ]

New: Confluence Workflow - Public Facing - Restricted v3 [ 1728803 ]

Assignee:: David Taylor (Inactive)

Reporter:: Don Willis

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 20/Oct/2008 8:13 AM

Updated:: 11/Oct/2018 9:01 AM

Resolved:: 13/Nov/2008 6:12 AM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

People

Dates