Reflected XSS in 'where' param of doSearchSite

Type atlassian
Reporter olivier2
Modified 2017-10-16T03:51:38


Olivier Beg <> reported {quote} {noformat}{noformat}

> I asume he is DOM based because he works in google chrome. {quote}

This results in

{code:html} <input type="hidden" id="search-filter-by-space" name="where" value="conf_all"><img src=x onerror=alert(1)>" style="width: 100%"/> {code}

which appears to be parsed as having a valid {{onerror}} attribute (???), which triggers the alert box if you move your mouse or just wait a second. Checked in Firefox and Chrome. Possibly {{where}} is used in javascript context in an unsafe way.