Content injection caused by failing to encode the url

Type atlassian
Reporter dblack
Modified 2017-02-20T02:56:57


The exampleURLPrefix variable given to the [single-xml-header.vm|] or [searchrequest-xml-header.vm|] comes from the current url (see [|] & [SearchRequestXMLView|]) and is not xml encoded before being included in the response. Browsers such as firefox and chrome in my testing both uri encode query parameters of a url/link. However, Internet explorer(tested against version 11) does not url encode query parameters. This means that a url like {code}https://$domain/si/jira.issueviews:issue-xml/DESK-2/DESK-2.xml?//--><html><body>hi</body>;<!-- {code} can result in injected html content in response.