XWiki 9151 : XSS vulnerability in link syntax when using "path:"

xwiki-platform-core/xwiki-platform-annotations/xwiki-platform-annotation-core/src/main/java/org/xwiki/annotation/internal/renderer/AnnotationMarkersXHTMLPrinter.java

@@ -27,8 +27,8 @@
 
 import org.xwiki.annotation.Annotation;
 import org.xwiki.annotation.renderer.AnnotationEvent;
+import org.xwiki.rendering.renderer.printer.DefaultXHTMLWikiPrinter;
 import org.xwiki.rendering.renderer.printer.WikiPrinter;
-import org.xwiki.rendering.renderer.printer.XHTMLWikiPrinter;
 
 /**
  * XHTML Printer to handle printing annotations markers in the rendered XHTML. It is able to generate the annotation
@@ -41,7 +41,7 @@
  * @version $Id$
  * @since 2.3M1
  */
-public class AnnotationMarkersXHTMLPrinter extends XHTMLWikiPrinter
+public class AnnotationMarkersXHTMLPrinter extends DefaultXHTMLWikiPrinter
 {
 
     /**

xwiki-platform-core/xwiki-platform-annotations/xwiki-platform-annotation-core/src/main/java/org/xwiki/annotation/internal/renderer/AnnotationXHTMLChainingRenderer.java

@@ -68,7 +68,7 @@ public class AnnotationXHTMLChainingRenderer extends XHTMLChainingRenderer imple
     public AnnotationXHTMLChainingRenderer(XHTMLLinkRenderer linkRenderer, XHTMLImageRenderer imageRenderer,
         ListenerChain listenerChain)
     {
-        super(linkRenderer, imageRenderer, listenerChain);
+        super(linkRenderer, imageRenderer, listenerChain, "default");
     }
 
     /**

xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/doc/XWikiDocument.java

@@ -118,6 +118,8 @@
 import org.xwiki.rendering.transformation.TransformationContext;
 import org.xwiki.rendering.transformation.TransformationException;
 import org.xwiki.rendering.transformation.TransformationManager;
+import org.xwiki.security.authorization.AuthorizationManager;
+import org.xwiki.security.authorization.Right;
 import org.xwiki.velocity.VelocityManager;
 import org.xwiki.xml.XMLUtils;
 
@@ -7943,7 +7945,14 @@ private static String performSyntaxConversion(XDOM content, Syntax targetSyntax,
     protected static String renderXDOM(XDOM content, Syntax targetSyntax) throws XWikiException
     {
         try {
-            BlockRenderer renderer = Utils.getComponent(BlockRenderer.class, targetSyntax.toIdString());
+            BlockRenderer renderer;
+            String targetSyntaxId = targetSyntax.toIdString();
+            // If a secure renderer exists, let's use it.
+            if (Utils.getComponentManager().hasComponent(BlockRenderer.class, "secure" + targetSyntaxId)) {
+                renderer = Utils.getComponent(BlockRenderer.class, "secure" + targetSyntaxId);
+            } else {
+                renderer = Utils.getComponent(BlockRenderer.class, targetSyntaxId);
+            }
             WikiPrinter printer = new DefaultWikiPrinter();
             renderer.render(content, printer);
             return printer.toString();

xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-xwiki/src/main/java/org/xwiki/rendering/internal/configuration/DefaultXWikiRenderingConfiguration.java

@@ -19,6 +19,7 @@
  */
 package org.xwiki.rendering.internal.configuration;
 
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Properties;
@@ -98,4 +99,10 @@ public List<String> getTransformationNames()
     {
         return this.configuration.getProperty(PREFIX + "transformations", Arrays.asList("macro", "icon"));
     }
+
+    @Override
+    public List<String> getExtraAttributes()
+    {
+        return this.configuration.getProperty(PREFIX + "extraAttributes", new ArrayList<String>());
+    }
 }

xwiki-platform-tools/xwiki-platform-tool-configuration-resources/src/main/resources/xwiki.properties.vm

@@ -141,6 +141,12 @@ environment.permanentDirectory=$xwikiPropertiesEnvironmentPermanentDirectory
 # rendering.interWikiDefinitions = wikipedia = http://en.wikipedia.org/wiki/
 # rendering.interWikiDefinitions = definition = http://www.yourdictionary.com/
 
+#-# [Since 5.1RC1]
+#-# In order to prevent XSS attacks, only a limited number of attributes can be used in the wiki syntax.
+#-# By default the only attributes authorized are : alt, class, height, id, name, rel, scope, style, target, title, width
+#-# You can add some (as a coma separated list) thanks to this property.
+# rendering.extraAttributes = 
+
 #-------------------------------------------------------------------------------------
 # Rendering Transformations
 #-------------------------------------------------------------------------------------