Confluence Docs 3.0 : Confluence Community Security Advisory 2006-01-19
This page last changed on Jan 20, 2006 by jeremy@atlassian.com.
ProblemThere is a possibility of XSS exploitation of the Full Name user profile field when displayed. SolutionThe problem was unescaped outputting of the fullname - wrapping the output in $generalUtil.htmlEncode() resolve it. The vast majority of the problem can be resolved by changing /confluence/template/includes/macros.vm in the distribution on the following lines:
I have attached the modified macros.vm file here which you can copy into your distribution. ScopeThere are other places which are still affected which Atlassian have been made aware of, a complete resolution should be provided by Atlassian in their own offical advisory. I hope this helps some of you! |
![]() |
Document generated by Confluence on Nov 05, 2009 23:26 |