|Title|Arbitrary HTML markup in heading is rendered by TableOfContent plugin
|Date|04-May-2006 17:18:25 EEST
|Submitter|Jérôme Duprez
|[Bug criticality]|BadBug
|Browser version|Firefox
|[Bug status]|ClosedBug
|[PageProvider] used|CachingPageProvider
|Servlet Container|Tomcat 5.5.9
|Operating System|Windows XP Pro
|URL|[Sand Box], see also example inline
|Java version|1.5.0_06

On a Wiki where HTML markup is disallowed, a malicious user might introduce HTML markup all the same using [Table Of Contents Plugin].
I have checked only with harmless markup (text formatting), but I presume arbitrary HTML code might be rendered, including malicious javascript.

Here is an example (as long as the engine running jspwiki.org will allow it :o):

!<I>This heading might be italics but the engine forbids HTML markup so it is not

<I>This text might be italics but it is not

!<SUP>This heading might be superscript, but it is not

<SUP>This text might be superscript, but it is not

And this is normal text, unnaffected

However if we put a table of contents {{{[{TableOfContents }]}}}, the HTML markups in the headings are retained in the TOC text:

[{TableOfContents }]

And this text appears as italics and superscript.

N.B.: I edited [Wiki Markup Development] because HTML tags in headings were rendered in its TOC, making the whole page unreadable.


Fixed in 2.4.31.