Scope of this issue is to address two specific XSS vulnerabilies. The scope of fixing i18n parameters is [tracked elsewhere|https://jira.atlassian.com/browse/CONF-15548]. Please see [the comment below for details|https://jira.atlassian.com/browse/CONF-27396?focusedCommentId=451824&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-451824]. ---- (Original Description) The {{ConfluenceActionSupport.getText}} method is annotated with {{@HtmlSafe}}, forcing the Velocity engine to skip HTML encoding of the methods response. The responsibility of HTML encoding is therefore placed on the caller. There appears to be a common vulnerability in several velocity templates, that take a user controlled variable and pass it as an argument to the {{getText}} method without encoding, leading to XSS vulnerabilities. Two such examples are: {code:title=Managereferrers.vm|borderStyle=solid} #if ($justAdded) #applyDecorator("warning" "") $action.getText("added.exclusion.feedback", [$justAdded, "$req.contextPath/admin/purgesinglereferrer.action?referrer=$justAdded", "$req.contextPath/admin/purgereferrers.action"]) #end #end {code} {code:title=Importword.vm|borderStyle=solid}

$action.getText("office.connector.docimport.whereto"):

$action.getText("office.connector.docimport.whereto.space", [$pageTitle])

$action.getText("office.connector.docimport.whereto.page", [$pageTitle])

$action.getText("office.connector.docimport.whereto.delete", [$pageTitle])

{code} It's recommended all callers of the getText() method require HTML encoding of user controlled parameters.

Fix XSS vulnerabilities in managereferrers.vm and importword.vm