12 Jun
2010
12 Jun
'10
6:05 p.m.
This is not a problem only with the search field. It's a security policy that
XWiki allows it's users to run script. In syntax 1.0 you are allowed to type
HTML (and thus script) into the document, in syntax 2.0 you can use HTML in
the document by invoking the HTML macro.
My opinion is that to prevent users from running script you would have to set up
an output filter such as Apache mod_filter and implement a policy which blocks all
script which is in parts of the page which are user editable.
Caleb
Ivan Levashew wrote:
Joel Forsberg wrote:
Do you happen to know the JIRA ticket for this
bug? (if there is one?)
http://jira.xwiki.org/jira/browse/XE-24 but it is for previous search
engine.
The {pre} seems to dodge some of the unwanted
effects, but in turn makes
further editing the script difficult. Next time I edit the {pre} seems to have
disappeared, instead leaving a <p>-tag artifact depending on circumstances.
CrossSiteScripting example:
<script>alert('I pwnd U')</script>
=> bad, bad, bad
That is exatly what I would like to avoid, hehe. :)