Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-9627

Velocity does not automatically escape HTML entities when substituting variables

    XMLWordPrintable

Details

    Description

      Velocity should automatically escape (encode) HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet.

      This affects all versions of Confluence.

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-7615 XSS bug: usernames not HTML-encoded in all places

          • High - High priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-9559 Cross-site scripting vulnerability in /dashboard.action

          • High - High priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-11005 XSS vulnerability in signup actions

          • Medium - Medium priority issues
          • Closed
          is related to

          Suggestion - CONFSERVER-12335 Write developer documentation for HtmlSafe Velocity encoding

          • Closed

          Suggestion - CONFSERVER-12573 Enable automatic HTML encoding by default

          • Closed
          relates to

          Suggestion - CONFSERVER-9640 Upgrade Confluence's Velocity dependency to 1.5

          • Closed

          Activity

            People

              christopher.owen@atlassian.com Christopher Owen [Atlassian]
              matt@atlassian.com Matt Ryall
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: