Description

All event data is output directly to the renderer's doc element without any escaping in the table syntax. Proof of concept: add the following to an event description and load a page with a table:

Test <script>alert('bang')</script>

Revisions and Commits

rDAVCAL DokuWiki DAVCal PlugIn
	rDAVCAL42ccc183adf9 Try to fix some XSS vulnerabilities, ref T51
	rDAVCALfba5a06844d8 Try to fix some XSS vulnerabilities, ref T51
rDAVCARD DokuWiki davcard PlugIn
	rDAVCARD7ddcc8b498be Try to fix XSS vulnerabilities, ref T51

Event Timeline

splitbrain created this task.Nov 15 2017, 3:23 PM

Diffusion added a commit: rDAVCARD7ddcc8b498be: Try to fix XSS vulnerabilities, ref T51.Nov 15 2017, 6:53 PM

Diffusion added a commit: rDAVCALfba5a06844d8: Try to fix some XSS vulnerabilities, ref T51.

Thanks for your comment, much appreciated! It should be fixed now, would you mind having a look again?

Diffusion added a commit: rDAVCAL42ccc183adf9: Try to fix some XSS vulnerabilities, ref T51.Nov 17 2017, 10:09 PM

Lots of XSS vulnerabilitiesOpen, HighPublicActions

Description

Revisions and Commits

Event Timeline

Lots of XSS vulnerabilities
Open, HighPublic
Actions