[xwiki-users] Searching workaround for HTML in title-field
Caleb James DeLisle
calebdelisle at lavabit.com
Sat Jun 12 16:05:56 UTC 2010
This is not a problem only with the search field. It's a security policy that
XWiki allows it's users to run script. In syntax 1.0 you are allowed to type
HTML (and thus script) into the document, in syntax 2.0 you can use HTML in
the document by invoking the HTML macro.
My opinion is that to prevent users from running script you would have to set up
an output filter such as Apache mod_filter and implement a policy which blocks all
script which is in parts of the page which are user editable.
Caleb
Ivan Levashew wrote:
> Joel Forsberg wrote:
>> Do you happen to know the JIRA ticket for this bug? (if there is one?)
>>
> http://jira.xwiki.org/jira/browse/XE-24 but it is for previous search
> engine.
>
>> The {pre} seems to dodge some of the unwanted effects, but in turn makes
>> further editing the script difficult. Next time I edit the {pre} seems to have
>> disappeared, instead leaving a <p>-tag artifact depending on circumstances.
>>
>>> CrossSiteScripting example: <script>alert('I pwnd U')</script>
>>> => bad, bad, bad
>> That is exatly what I would like to avoid, hehe. :)
>>
>
More information about the users
mailing list