Headline
CVE-2023-32070: XRENDERING-663: Restrict allowed attributes in HTML rendering · xwiki/xwiki-rendering@c40e2f5
XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn’t check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.
Expand Up @@ -44,12 +44,12 @@ endDocument .#----------------------------------------------------- .expect|xhtml/1.0 .#----------------------------------------------------- <span param="value">formatmacro2</span><p><span a="b"><span param="value">formatmacro3</span> text</span></p><p><span a="b">text</span><span param="value">formatmacro4</span></p> <span data-xwiki-translated-attribute-param="value">formatmacro2</span><p><span data-xwiki-translated-attribute-a="b"><span data-xwiki-translated-attribute-param="value">formatmacro3</span> text</span></p><p><span data-xwiki-translated-attribute-a="b">text</span><span data-xwiki-translated-attribute-param="value">formatmacro4</span></p> .#----------------------------------------------------- .expect|annotatedxhtml/1.0 .#----------------------------------------------------- <!–startmacro:testformatmacro|-|–><span param="value">formatmacro2</span><!–stopmacro–><p><span a="b"><!–startmacro:testformatmacro|-|–><span param="value">formatmacro3</span><!–stopmacro–> text</span></p><p><span a="b">text</span><!–startmacro:testformatmacro|-|–><span param="value">formatmacro4</span><!–stopmacro–></p> <!–startmacro:testformatmacro|-|–><span data-xwiki-translated-attribute-param="value">formatmacro2</span><!–stopmacro–><p><span data-xwiki-translated-attribute-a="b"><!–startmacro:testformatmacro|-|–><span data-xwiki-translated-attribute-param="value">formatmacro3</span><!–stopmacro–> text</span></p><p><span data-xwiki-translated-attribute-a="b">text</span><!–startmacro:testformatmacro|-|–><span data-xwiki-translated-attribute-param="value">formatmacro4</span><!–stopmacro–></p> .#----------------------------------------------------- .input|xhtml/1.0 .#----------------------------------------------------- <!–startmacro:testformatmacro|-|–><span param="value">formatmacro2</span><!–stopmacro–><p><span a="b"><!–startmacro:testformatmacro|-|–><span param="value">formatmacro3</span><!–stopmacro–> text</span></p><p><span a="b">text</span><!–startmacro:testformatmacro|-|–><span param="value">formatmacro4</span><!–stopmacro–></p> <!–startmacro:testformatmacro|-|–><span data-xwiki-translated-attribute-param="value">formatmacro2</span><!–stopmacro–><p><span data-xwiki-translated-attribute-a="b"><!–startmacro:testformatmacro|-|–><span data-xwiki-translated-attribute-param="value">formatmacro3</span><!–stopmacro–> text</span></p><p><span data-xwiki-translated-attribute-a="b">text</span><!–startmacro:testformatmacro|-|–><span data-xwiki-translated-attribute-param="value">formatmacro4</span><!–stopmacro–></p>
Related news
### Impact HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. ### Patches This has been patched in XWiki 14.6 RC1. ### Workarounds There are no known workarounds apart from upgrading to a fixed version. ### References * https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 * https://jira.xwiki.org/browse/XRENDERING-663 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])