Content injection caused by failing to encode the url

2014-07-28T04:26:29
ID ATLASSIAN:JRASERVER-39301
Type atlassian
Reporter dblack
Modified 2017-02-20T02:56:57

Description

The exampleURLPrefix variable given to the [single-xml-header.vm|https://stash.atlassian.com/projects/JIRA/repos/jira/browse/jira-components/jira-core/src/main/resources/templates/plugins/issueviews/single-xml-header.vm#11] or [searchrequest-xml-header.vm|https://stash.atlassian.com/projects/JIRA/repos/jira/browse/jira-components/jira-core/src/main/resources/templates/plugins/searchrequestviews/searchrequest-xml-header.vm#11] comes from the current url (see [IssueXMLView.java|https://stash.atlassian.com/projects/JIRA/repos/jira/browse/jira-components/jira-core/src/main/java/com/atlassian/jira/issue/views/IssueXMLView.java#122] & [SearchRequestXMLView|https://stash.atlassian.com/projects/JIRA/repos/jira/browse/jira-components/jira-core/src/main/java/com/atlassian/jira/issue/views/SearchRequestXMLView.java#136]) and is not xml encoded before being included in the response. Browsers such as firefox and chrome in my testing both uri encode query parameters of a url/link. However, Internet explorer(tested against version 11) does not url encode query parameters. This means that a url like {code}https://$domain/si/jira.issueviews:issue-xml/DESK-2/DESK-2.xml?//--><html><body>hi</body>;<!-- {code} can result in injected html content in response.