This issue has been created
There is 1 comment.
 
 
XWiki Platform / cid:jira-generated-image-avatar-2b4e7c22-c67f-4bee-bc8f-c167e7f6da28 XWIKI-22435 Open

XWiki shouldn't allow passing URLs with %2F in it
 
View issue   ยท   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-4b1e99b5-eb41-41fe-8217-66c585514e5b Vincent Massol created this issue on 20/Aug/24 10:21
 
Summary: XWiki shouldn't allow passing URLs with %2F in it
Issue Type: cid:jira-generated-image-avatar-2b4e7c22-c67f-4bee-bc8f-c167e7f6da28 Bug
Affects Versions: 15.10
Assignee: Unassigned
Created: 20/Aug/24 10:21
Priority: cid:jira-generated-image-static-major-8147d3e9-da1a-416b-adce-d41be0666099 Major
Reporter: Vincent Massol
Description:

It's against the servlet spec, see https://github.com/jakartaee/servlet/blob/6.0.0-RELEASE/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization

See also https://stackoverflow.com/a/74395733
 
 

1 comment

 
cid:jira-generated-image-avatar-4b1e99b5-eb41-41fe-8217-66c585514e5b Vincent Massol on 20/Aug/24 10:24
 

Used in PageTemplatesIT#templateProviderTitleEscaping with the following URL: http://localhost:8080/xwiki/bin/edit/XWiki/%7B%7Bhtml%7D%7D%3Cspan%3EHTML%3C%2Fspan%3E%7B%7B%2Fhtml%7D%7D?template=XWiki.TemplateProviderTemplate&parent=XWiki.TemplateProviderClass&title=%7B%7Bhtml%7D%7D%3Cspan%3EHTML%3C%2Fspan%3E%7B%7B%2Fhtml%7D%7D&form_token=7ReNHIExSZo84JE25vsxdg
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.