XSS Sanitization destroys links with certain strings
- Status
- Open
- Subject
- XSS Sanitization destroys links with certain strings
- Version
- 15.x
- Category
- Consistency
- Feature
- Wiki Syntax (text area, parser, external wiki, etc)
- Resolution status
- New
- Submitted by
- AlexB
- Lastmod by
- AlexB
- Rating
- Description
XSS Sanitizations seems to amend some input strings in the wiki / blog editor with an
. The is filtered out again when the text is being displayed to a user. This works for normal text, but not when a reserved word appears in a link.
Example:
[http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ev
al|ev al|nocache] The "ev
al" string in the link will also be changed to "ev al", but the will not be removed when the link is being displayed, so it doesn't point to a valid destination anymore. Expected result: The link is displayed correctly.
Using URL-Enoding on the affected strings as a workaround is possible, but a nuisance.
This happens regardless of whether the HTML Purifier function is active or not.
- Importance
- 3
- Priority
- 15
- Demonstrate Bug on Tiki 19+
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show2.tiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Demonstrate Bug (older Tiki versions)
-
This bug has been demonstrated on show.tikiwiki.org
Please demonstrate your bug on show.tikiwiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show.tikiwiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Ticket ID
- 6315
- Created
- Sunday 09 April, 2017 16:00:39 UTC
by AlexB - LastModif
- Sunday 09 April, 2017 16:07:36 UTC