Loading...
 
Skip to main content

XSS Sanitization destroys links with certain strings

Status
Open
Subject
XSS Sanitization destroys links with certain strings
Version
15.x
Category
  • Consistency
Feature
Wiki Syntax (text area, parser, external wiki, etc)
Resolution status
New
Submitted by
AlexB
Lastmod by
AlexB
Rating
(0)
Description

XSS Sanitizations seems to amend some input strings in the wiki / blog editor with an . The is filtered out again when the text is being displayed to a user.

This works for normal text, but not when a reserved word appears in a link.

Example:

evalQuestion

[http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/eval|eval|nocache]

The "eval" string in the link will also be changed to "eval", but the will not be removed when the link is being displayed, so it doesn't point to a valid destination anymore.

Expected result: The link is displayed correctly.

Using URL-Enoding on the affected strings as a workaround is possible, but a nuisance.

This happens regardless of whether the HTML Purifier function is active or not.

Importance
3
Priority
15
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
6315
Created
Sunday 09 April, 2017 16:00:39 UTC
by AlexB
LastModif
Sunday 09 April, 2017 16:07:36 UTC


Show PHP error messages