Re: [xwiki-users] Security check on RSS Aggregator Macro extension

One comment in the blog post[1] about the RSS Aggregator Macro[2] warns against a serious security flaw: the extension is embedding in the page's wiki markup strings it reads from the web (RSS feeds); if these strings contain wiki code such as this: <title>Let's execute some groovy: {{groovy}}println "id".execute().getText(){{/groovy}}</title> then it would allow random code to be executed on the server. I investigated the issue and my current understanding is that this vulnerability has been addressed at XWiki itself, when nested scripts[3] were disabled in v. 2.4M2[4]. Am I correct to assume this vulnerability has been closed and that it's safe to run this extension? [1] http://www.velociter.fr/journal/XWiki-plus-groovy-is-love-the-10-lines-RSS-… [2] http://extensions.xwiki.org/xwiki/bin/view/Extension/RSS+Aggregator+Macro [3] http://extensions.xwiki.org/xwiki/bin/view/Extension/Script+Macro#HNestedsc… [4] http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterpris… _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users