panicsteve w2wiki Markdown index.php toHTML cross site scripting

An attacker can inject malicious scripts into wiki pages by manipulating the input to the toHTML function. This function processes various markup, including links and images, without adequately escaping special characters. When a victim views a page containing such crafted input, the embedded script will execute in their browser, potentially leading to unauthorized actions or information disclosure. The attack can be launched remotely by simply creating or editing a wiki page with malicious content [ref_id=1].

The vulnerability resides within the toHTML function located in the index.php file. Specifically, the regular expression replacements for links ('[[...]]'), images ('{{...}}'), and messages ('message:...') were not properly sanitizing the captured groups before inserting them into the HTML output [ref_id=1].

The patch introduces new helper functions (_handle_links, _handle_images, _handle_message) that are used with preg_replace_callback. These callbacks now use htmlentities to sanitize the matched input before it is incorporated into the HTML output. This prevents malicious code from being rendered directly, thereby closing the cross-site scripting vulnerability [ref_id=1].