-
Bug
-
Resolution: Fixed
-
Medium
-
3.0
-
None
A user with username "><script>alert("foo")</script> that is linked to via [~username] markup results in script being executed.
Curiously, viewing the space homepage of that user results in a blank page.
This of course is prevented for public signup, but if the user gets created via other means, i.e. external user management, or via admin control panel then this is a valid point of attack
- is caused by
-
-
- Closed
-
- relates to
-
-
- Closed
-
[CONFSERVER-15970] XSS in user links
Anatoli, the XSS hole in advanced macros was introduced in 3.0 (specifically via the 'social' theme) so current 2.10 users shouldn't have this problem.
A new version of the advanced macros plugin has been added to 3.0.1
Fixed in branch as well.
Due to our lovely circular dependency with bundled plugins I can't update advanced macros until we release 3.0.1. So any testers will need to download the SNAPSHOT version.
Moving to 3.1 since I have to release advanced macros after the merge
Turns out this is still a problem in the recently-updated macro (social theme). Assigning to myself to fix.
This changeset really should have been split into two separate commits. The bug fix itself is fine.
In terms of the user helper, it all looks good. There are a few things that should be changed in the future though:
- addUserToGroup should use a user object. Makes it consistent with the rest of the helper
- rpcCreateTestSpace should be deleted too, again for consistency
- createUserViaHelper should be removed, it looks like we are moving to a delegation pattern so we should be doing userHelper.createUser() as well. The less stuff we have in ACAT the better.
Chris Broadfoot [Atlassian]
added a comment - Fixed by URL encoding the usernames. 
If you are not in a position to upgrade to Confluence 3.0.1, you can patch your existing Confluence 3.0.0 instance to fix this XSS issue using the attached zip file.
To apply the patch:
(Create the appropriate folder(s) if they do not exist.)