Title | Arbitrary HTML markup in heading is rendered by TableOfContent plugin |
Date | 04-May-2006 17:18:25 EEST |
Version | 2.4.0 |
Submitter | Jérôme Duprez |
Bug criticality | BadBug |
Browser version | Firefox |
Bug status | ClosedBug |
PageProvider used | CachingPageProvider |
Servlet Container | Tomcat 5.5.9 |
Operating System | Windows XP Pro |
URL | Sand Box, see also example inline |
Java version | 1.5.0_06 |
On a Wiki where HTML markup is disallowed, a malicious user might introduce HTML markup all the same using Table Of Contents Plugin. I have checked only with harmless markup (text formatting), but I presume arbitrary HTML code might be rendered, including malicious javascript.
Here is an example (as long as the engine running jspwiki.org will allow it :o):
<I>This heading might be italics but the engine forbids HTML markup so it is not#
<I>This text might be italics but it is not
<SUP>This heading might be superscript, but it is not#
<SUP>This text might be superscript, but it is not
And this is normal text, unnaffected
However if we put a table of contents [{TableOfContents }], the HTML markups in the headings are retained in the TOC text:
And this text appears as italics and superscript.
N.B.: I edited Wiki Markup Development because HTML tags in headings were rendered in its TOC, making the whole page unreadable.
Fixed in 2.4.31.