Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 2.9
Affects Version/s: 2.6.0
Component/s: None
Labels:

Velocity should automatically escape (encode) HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet.

This affects all versions of Confluence.

blocks

CONFSERVER-7615 XSS bug: usernames not HTML-encoded in all places

Closed

CONFSERVER-9559 Cross-site scripting vulnerability in /dashboard.action

Closed

CONFSERVER-11005 XSS vulnerability in signup actions

Closed

is related to

CONFSERVER-12335 Write developer documentation for HtmlSafe Velocity encoding

Closed

CONFSERVER-12573 Enable automatic HTML encoding by default

Closed

relates to

CONFSERVER-9640 Upgrade Confluence's Velocity dependency to 1.5

Closed

(1 relates to)

Assignee:: Christopher Owen [Atlassian]
Reporter:: Matt Ryall
Votes:: 0 Vote for this issue
Watchers:: 2 Start watching this issue

Created:: 03/Oct/2007 2:58 AM
Updated:: 11/Oct/2018 9:01 AM
Resolved:: 28/Jul/2008 1:11 AM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates