Headline
CVE-2023-29201: XCOMMONS-2426: Provide a component for filtering safe HTML elements a… · xwiki/xwiki-commons@4a185e0
XWiki Commons are technical libraries common to several other top level XWiki projects. The “restricted” mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped <script> and <style>-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like <iframe>. As a consequence, any code relying on this “restricted” mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.6 RC1 with the introduction of a filter with allowed HTML elements and attributes that is enabled in restricted mode. There are no known workarounds apart from upgrading to a version including the fix.
@@ -0,0 +1,110 @@ /* * See the NOTICE file distributed with this work for additional * information regarding copyright ownership. * * This is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This software is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this software; if not, write to the Free * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * 02110-1301 USA, or see the FSF site: http://www.fsf.org. */ /* * Alternatively, at your choice, the contents of this file may be used under the terms of the Mozilla Public License, * v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at https://mozilla.org/MPL/2.0/. */ package org.xwiki.xml.internal.html;
import java.util.Arrays; import java.util.HashSet; import java.util.Set;
import javax.inject.Singleton;
import org.xwiki.component.annotation.Component;
/** * Provides definitions of safe HTML attributes and tags. * <p> * Unless otherwise noted, lists of elements and attributes are copied from DOMPurify by Cure53 and other contributors | * Released under the Apache license 2.0 and Mozilla Public License 2.0 - * <a href="https://github.com/cure53/DOMPurify/blob/main/LICENSE">LICENSE</a>. * * @version $Id$ * @since 14.6RC1 */ @Component(roles = HTMLDefinitions.class) @Singleton public class HTMLDefinitions { /** * Allowed HTML elements. */ private final Set<String> htmlTags;
/** * Allowed attributes. */ private final Set<String> htmlAttributes;
/** * Default constructor. */ public HTMLDefinitions() { this.htmlTags = new HashSet<>( Arrays.asList("a", "abbr", "acronym", "address", "area", "article", "aside", "audio", "b", "bdi", "bdo", "big", "blink", "blockquote", "body", "br", "button", "canvas", "caption", "center", "cite", "code", "col", "colgroup", "content", "data", "datalist", "dd", "decorator", "del", "details", "dfn", "dialog", "dir", "div", "dl", "dt", "element", "em", "fieldset", "figcaption", "figure", "font", "footer", "form", "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html", "i", "img", "input", "ins", "kbd", "label", "legend", "li", "main", "map", "mark", "marquee", "menu", "menuitem", "meter", "nav", "nobr", "ol", "optgroup", "option", "output", "p", "picture", "pre", "progress", "q", "rp", "rt", "ruby", "s", "samp", "section", "select", "shadow", "small", "source", "spacer", "span", "strike", "strong", "style", "sub", "summary", "sup", "table", "tbody", "td", "template", "textarea", "tfoot", "th", "thead", "time", "tr", "track", "tt", "u", "ul", "var", "video", “wbr”));
// Attributes that are in general allowed. Note that “target” is not generally safe, but XWiki contains code // that already adds the necessary attributes to make it safe both in HTMLCleaner and in XHTML rendering. this.htmlAttributes = new HashSet<>( Arrays.asList("accept", "action", "align", "alt", "autocapitalize", "autocomplete", "autopictureinpicture", "autoplay", "background", "bgcolor", "border", "capture", "cellpadding", "cellspacing", "checked", "cite", "class", "clear", "color", "cols", "colspan", "controls", "controlslist", "coords", "crossorigin", "datetime", "decoding", "default", "dir", "disabled", "disablepictureinpicture", "disableremoteplayback", "download", "draggable", "enctype", "enterkeyhint", "face", "for", "headers", "height", "hidden", "high", "href", "hreflang", "id", "inputmode", "integrity", "ismap", "kind", "label", "lang", "list", "loading", "loop", "low", "max", "maxlength", "media", "method", "min", "minlength", "multiple", "muted", "name", "nonce", "noshade", "novalidate", "nowrap", "open", "optimum", "pattern", "placeholder", "playsinline", "poster", "preload", "pubdate", "radiogroup", "readonly", "rel", "required", "rev", "reversed", "role", "rows", "rowspan", "spellcheck", "scope", "selected", "shape", "size", "sizes", "span", "srclang", "start", "src", "srcset", "step", "style", "summary", "tabindex", "title", "translate", "type", "usemap", "valign", "value", "width", "xmlns", "slot", “target”)); }
/** * @param tagName the name of the tag to check * @return if the tag is considered safe */ public boolean isSafeTag(String tagName) { return this.htmlTags.contains(tagName); }
/** * @param attributeName the name of the attribute to check * @return if the attribute is allowed */ public boolean isAllowedAttribute(String attributeName) { return this.htmlAttributes.contains(attributeName); } }
Related news
### Impact The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `<script>` and `<style>`-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like `<iframe>`. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). An example are anonymous comments in XWiki where the HTML macro filters HTML using restricted mode: ``` {{html}} <a href='' onclick='alert(1)'>XSS</a> {{/html}} ``` When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. ### Patches This problem has been patched in XWiki 14.6 RC1 with the introduction of a filter with allowed HTML elements and attributes th...