Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XWiki 9151 : XSS vulnerability in link syntax when using "path:" #122

Closed
wants to merge 6 commits into from
Closed

XWiki 9151 : XSS vulnerability in link syntax when using "path:" #122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f85dc55
XWiki-9151 : XSS vulnerability in link syntax when using "path:"
tdelafosse Jun 14, 2013
62e5f4e
XWiki-9151 : XSS vulnerability in link syntax when using "path:". Add…
tdelafosse Jun 20, 2013
2824370
XWiki-9151 : XSS vulnerability in link syntax when using "path:". Add…
tdelafosse Jun 21, 2013
9e2be48
XWiki-9151 : XSS vulnerability in link syntax when using "path:". Cle…
tdelafosse Jun 24, 2013
cd1d707
XSS vulnerability in link syntax when using "path:". Add extraAttribu…
tdelafosse Jun 24, 2013
7d2c3f4
XSS vulnerability in link syntax when using "path:". Use a secure ren…
tdelafosse Jun 24, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions ...e/src/main/java/org/xwiki/annotation/internal/renderer/AnnotationMarkersXHTMLPrinter.java
View file
Open in desktop
Expand Up @@ -27,8 +27,8 @@

import org.xwiki.annotation.Annotation;
import org.xwiki.annotation.renderer.AnnotationEvent;
import org.xwiki.rendering.renderer.printer.DefaultXHTMLWikiPrinter;
import org.xwiki.rendering.renderer.printer.WikiPrinter;
import org.xwiki.rendering.renderer.printer.XHTMLWikiPrinter;

/**
* XHTML Printer to handle printing annotations markers in the rendered XHTML. It is able to generate the annotation
Expand All @@ -41,7 +41,7 @@
* @version $Id$
* @since 2.3M1
*/
public class AnnotationMarkersXHTMLPrinter extends XHTMLWikiPrinter
public class AnnotationMarkersXHTMLPrinter extends DefaultXHTMLWikiPrinter
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is because I transformed XHTMLWikiPrinter into an interface implemented by DefaultXHTMLWikiPrinter

{

/**
Expand Down
2 changes: 1 addition & 1 deletion ...src/main/java/org/xwiki/annotation/internal/renderer/AnnotationXHTMLChainingRenderer.java
View file
Open in desktop
Expand Up @@ -68,7 +68,7 @@ public class AnnotationXHTMLChainingRenderer extends XHTMLChainingRenderer imple
public AnnotationXHTMLChainingRenderer(XHTMLLinkRenderer linkRenderer, XHTMLImageRenderer imageRenderer,
ListenerChain listenerChain)
{
super(linkRenderer, imageRenderer, listenerChain);
super(linkRenderer, imageRenderer, listenerChain, "default");
}

/**
Expand Down
11 changes: 10 additions & 1 deletion ...i-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/doc/XWikiDocument.java
View file
Open in desktop
Expand Up @@ -118,6 +118,8 @@
import org.xwiki.rendering.transformation.TransformationContext;
import org.xwiki.rendering.transformation.TransformationException;
import org.xwiki.rendering.transformation.TransformationManager;
import org.xwiki.security.authorization.AuthorizationManager;
import org.xwiki.security.authorization.Right;
import org.xwiki.velocity.VelocityManager;
import org.xwiki.xml.XMLUtils;

Expand Down Expand Up @@ -7943,7 +7945,14 @@ private static String performSyntaxConversion(XDOM content, Syntax targetSyntax,
protected static String renderXDOM(XDOM content, Syntax targetSyntax) throws XWikiException
{
try {
BlockRenderer renderer = Utils.getComponent(BlockRenderer.class, targetSyntax.toIdString());
BlockRenderer renderer;
String targetSyntaxId = targetSyntax.toIdString();
// If a secure renderer exists, let's use it.
if (Utils.getComponentManager().hasComponent(BlockRenderer.class, "secure" + targetSyntaxId)) {
renderer = Utils.getComponent(BlockRenderer.class, "secure" + targetSyntaxId);
} else {
renderer = Utils.getComponent(BlockRenderer.class, targetSyntaxId);
}
WikiPrinter printer = new DefaultWikiPrinter();
renderer.render(content, printer);
return printer.toString();
Expand Down
7 changes: 7 additions & 0 deletions ...n/java/org/xwiki/rendering/internal/configuration/DefaultXWikiRenderingConfiguration.java
View file
Open in desktop
Expand Up @@ -19,6 +19,7 @@
*/
package org.xwiki.rendering.internal.configuration;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Properties;
Expand Down Expand Up @@ -98,4 +99,10 @@ public List<String> getTransformationNames()
{
return this.configuration.getProperty(PREFIX + "transformations", Arrays.asList("macro", "icon"));
}

@Override
public List<String> getExtraAttributes()
{
return this.configuration.getProperty(PREFIX + "extraAttributes", new ArrayList<String>());
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can replace it with a method to add extra regex instead of attributes if needed.

}
6 changes: 6 additions & 0 deletions ...-tools/xwiki-platform-tool-configuration-resources/src/main/resources/xwiki.properties.vm
View file
Open in desktop
Expand Up @@ -141,6 +141,12 @@ environment.permanentDirectory=$xwikiPropertiesEnvironmentPermanentDirectory
# rendering.interWikiDefinitions = wikipedia = http://en.wikipedia.org/wiki/
# rendering.interWikiDefinitions = definition = http://www.yourdictionary.com/

#-# [Since 5.1RC1]
#-# In order to prevent XSS attacks, only a limited number of attributes can be used in the wiki syntax.
#-# By default the only attributes authorized are : alt, class, height, id, name, rel, scope, style, target, title, width
#-# You can add some (as a coma separated list) thanks to this property.
# rendering.extraAttributes =

#-------------------------------------------------------------------------------------
# Rendering Transformations
#-------------------------------------------------------------------------------------
Expand Down