VYPR
← All advisories
Critical severityNVD Advisory· Published Apr 15, 2023· Updated Feb 6, 2025

org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability

CVE-2023-29202

Description

XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter content was set to true. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scripting (XSS) by specifying an RSS feed with malicious content. With the interaction of a user with programming rights, this could be used to execute arbitrary actions in the wiki, including privilege escalation, remote code execution, information disclosure, modifying or deleting content and sabotaging the wiki. The issue has been patched in XWiki 14.6 RC1, the content of the feed is now properly cleaned before being displayed. As a workaround, if the RSS macro isn't used in the wiki, the macro can be uninstalled by deleting WEB-INF/lib/xwiki-platform-rendering-macro-rss-XX.jar, where XX is XWiki's version, in the web application's directory.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-core-rendering-macro-rssMaven
>= 1.8, <= 3.0.1
org.xwiki.platform:xwiki-platform-rendering-macro-rssMaven
< 14.6-rc-114.6-rc-1

Affected products

1

Patches

1
5c7ebe47c289

XWIKI-19671: Filter the feed's content in the RSS macro

https://github.com/xwiki/xwiki-platformMichael HamannJul 5, 2022via ghsa
commit
7 files changed · +116 10
  • xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-rss/pom.xml+5 0 modified
    @@ -50,6 +50,11 @@
       <artifactId>xwiki-rendering-macro-box</artifactId>
       <version>${rendering.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.xwiki.commons</groupId>
+      <artifactId>xwiki-commons-xml</artifactId>
+      <version>${commons.version}</version>
+    </dependency>
     <dependency>
       <groupId>org.xwiki.platform</groupId>
       <artifactId>xwiki-platform-bridge</artifactId>
  • xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-rss/src/main/java/org/xwiki/rendering/internal/macro/rss/RssMacro.java+42 2 modified
    @@ -22,14 +22,17 @@
 import java.io.StringReader;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 import javax.inject.Inject;
 import javax.inject.Named;
 import javax.inject.Singleton;
 
 import org.apache.commons.lang3.StringUtils;
+import org.w3c.dom.Document;
 import org.xwiki.bridge.SkinAccessBridge;
 import org.xwiki.component.annotation.Component;
 import org.xwiki.context.Execution;
@@ -49,6 +52,9 @@
 import org.xwiki.rendering.parser.Parser;
 import org.xwiki.rendering.syntax.Syntax;
 import org.xwiki.rendering.transformation.MacroTransformationContext;
+import org.xwiki.xml.html.HTMLCleaner;
+import org.xwiki.xml.html.HTMLCleanerConfiguration;
+import org.xwiki.xml.html.HTMLUtils;
 
 import com.sun.syndication.feed.synd.SyndEntry;
 import com.sun.syndication.feed.synd.SyndFeed;
@@ -102,6 +108,12 @@ public class RssMacro extends AbstractBoxMacro<RssMacroParameters>
     @Inject
     private Execution execution;
 
+    /**
+     * To clean the HTML content.
+     */
+    @Inject
+    private HTMLCleaner htmlCleaner;
+
     /**
      * Create a Feed object from a feed specified as a URL.
      */
@@ -278,13 +290,41 @@ private void generateEntries(Block parentBlock, SyndFeed feed, RssMacroParameter
                 // A case where doing this might hurt is if a feed declares "text" and has any XML inside it does
                 // not want to be interpreted as such, but displayed as is instead. But this certainly is too rare
                 // compared to mis-formed feeds that say text while they want to say HTML.
-                Block html = new RawBlock(entry.getDescription().getValue(), Syntax.XHTML_1_0);
+                Block html = new RawBlock(cleanHTML(entry.getDescription().getValue()), Syntax.HTML_5_0);
                 parentBlock.addChild(new GroupBlock(Arrays.asList(html), Collections.singletonMap(CLASS_ATTRIBUTE,
                     "rssitemdescription")));
             }
         }
     }
 
+    private String cleanHTML(String content)
+    {
+        HTMLCleanerConfiguration cleanerConfiguration = this.htmlCleaner.getDefaultConfiguration();
+        Map<String, String> parameters = new HashMap<>(cleanerConfiguration.getParameters());
+
+        // Just always use HTML 5 as this is what browsers parse.
+        parameters.put(HTMLCleanerConfiguration.HTML_VERSION, "5");
+        // Don't trust remote content.
+        parameters.put(HTMLCleanerConfiguration.RESTRICTED, "true");
+
+        cleanerConfiguration.setParameters(parameters);
+
+        Document document = this.htmlCleaner.clean(new StringReader(content), cleanerConfiguration);
+
+        // Remove the HTML envelope since this macro is only a fragment of a page which will already have an
+        // HTML envelope when rendered. We remove it so that the HTML <head> tag isn't output.
+        HTMLUtils.stripHTMLEnvelope(document);
+
+        // Don't print the XML declaration nor the XHTML DocType.
+        String cleanedContent = HTMLUtils.toString(document, true, true);
+        // Don't print the top level html element (which is always present and at the same location
+        // since it's been normalized by the HTML cleaner)
+        // Note: we trim the first 7 characters since they correspond to a leading new line (generated by
+        // XMLUtils.toString() since the doctype is printed on a line by itself followed by a new line) +
+        // the 6 chars from "<html>".
+        return cleanedContent.substring(7, cleanedContent.length() - 8);
+    }
+
     /**
      * @param romeFeedFactory a custom implementation to use instead of the default, useful for tests
      */
@@ -295,7 +335,7 @@ protected void setFeedFactory(RomeFeedFactory romeFeedFactory)
 
     /**
      * Convenience method to not have to handle exceptions in several places.
-     * 
+     *
      * @param content the content to parse as plain text
      * @return the parsed Blocks
      * @since 2.0M3
  • xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-rss/src/test/resources/feed3.xml+34 0 added
    @@ -0,0 +1,34 @@
+<?xml version="1.0"?>
+
+<!--
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+-->
+
+<rss version="2.0">
+  <channel>
+    <title>Test Feed 3</title>
+    <link>http://localhost/feed.xml</link>
+    <description>A pseudo-feed to test the RSS macro</description>
+    <item>
+      <title>Item1</title>
+      <link>http://localhost/blog/item1</link>
+      <description>An item with &lt;a href="javascript:alert(1)"&gt;dangerous&lt;/a&gt; &lt;b&gt;HTML&lt;/b&gt;markup.</description>
+    </item>
+  </channel>
+</rss>
\ No newline at end of file
  • xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-rss/src/test/resources/macrorss1.test+3 3 modified
    @@ -31,7 +31,7 @@ onWord [City]
 endLink [Typed = [true] Type = [url] Reference = [http://liftoff.msfc.nasa.gov/news/2003/news-starcity.asp]] [true]
 endParagraph [[class]=[rssitemtitle]]
 beginGroup [[class]=[rssitemdescription]]
-onRawText [How do Americans get ready to work with Russians aboard the International Space Station?] [xhtml/1.0]
+onRawText [<p>How do Americans get ready to work with Russians aboard the International Space Station?</p>] [html/5.0]
 endGroup [[class]=[rssitemdescription]]
 beginParagraph [[class]=[rssitemtitle]]
 beginLink [Typed = [true] Type = [url] Reference = [http://liftoff.msfc.nasa.gov/]] [true]
@@ -41,12 +41,12 @@ onWord [Exploration]
 endLink [Typed = [true] Type = [url] Reference = [http://liftoff.msfc.nasa.gov/]] [true]
 endParagraph [[class]=[rssitemtitle]]
 beginGroup [[class]=[rssitemdescription]]
-onRawText [Sky watchers in Europe, Asia, and parts of Alaska and Canada.] [xhtml/1.0]
+onRawText [<p>Sky watchers in Europe, Asia, and parts of Alaska and Canada.</p>] [html/5.0]
 endGroup [[class]=[rssitemdescription]]
 endGroup [[class]=[box rssfeed]]
 endMacroMarkerStandalone [testrss] [feed=file://feed1.xml|content=true|count=2|image=true]
 endDocument
 .#-----------------------------------------------------
 .expect|xhtml/1.0
 .#-----------------------------------------------------
-<div class="box rssfeed"><img src="http://www.w3schools.com/images/logo.gif" class="wikimodel-freestanding" alt="http://www.w3schools.com/images/logo.gif"/><br/><p class="rsschanneltitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/">Lift Off News</a></span><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/"><img src="/xwiki/resources/icons/silk/feed.png" alt="/xwiki/resources/icons/silk/feed.png"/></a></span></p><p class="rssitemtitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/news/2003/news-starcity.asp">Star City</a></span></p><div class="rssitemdescription">How do Americans get ready to work with Russians aboard the International Space Station?</div><p class="rssitemtitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/">Space Exploration</a></span></p><div class="rssitemdescription">Sky watchers in Europe, Asia, and parts of Alaska and Canada.</div></div>
\ No newline at end of file
+<div class="box rssfeed"><img src="http://www.w3schools.com/images/logo.gif" class="wikimodel-freestanding" alt="http://www.w3schools.com/images/logo.gif"/><br/><p class="rsschanneltitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/">Lift Off News</a></span><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/"><img src="/xwiki/resources/icons/silk/feed.png" alt="/xwiki/resources/icons/silk/feed.png"/></a></span></p><p class="rssitemtitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/news/2003/news-starcity.asp">Star City</a></span></p><div class="rssitemdescription"><p>How do Americans get ready to work with Russians aboard the International Space Station?</p></div><p class="rssitemtitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/">Space Exploration</a></span></p><div class="rssitemdescription"><p>Sky watchers in Europe, Asia, and parts of Alaska and Canada.</p></div></div>
\ No newline at end of file
  • xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-rss/src/test/resources/macrorss2.test+2 2 modified
    @@ -28,12 +28,12 @@ onWord [Item1]
 endLink [Typed = [true] Type = [url] Reference = [http://localhost/blog/item1]] [true]
 endParagraph [[class]=[rssitemtitle]]
 beginGroup [[class]=[rssitemdescription]]
-onRawText [An item with<b>HTML</b>markup.] [xhtml/1.0]
+onRawText [<p>An item with<b>HTML</b>markup.</p>] [html/5.0]
 endGroup [[class]=[rssitemdescription]]
 endGroup [[class]=[box rssfeed]]
 endMacroMarkerStandalone [testrss] [feed=file://feed2.xml|content=true|count=1|image=false]
 endDocument
 .#-----------------------------------------------------
 .expect|xhtml/1.0
 .#-----------------------------------------------------
-<div class="box rssfeed"><p class="rsschanneltitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://localhost/feed.xml">Test Feed 2</a></span><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://localhost/feed.xml"><img src="/xwiki/resources/icons/silk/feed.png" alt="/xwiki/resources/icons/silk/feed.png"/></a></span></p><p class="rssitemtitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://localhost/blog/item1">Item1</a></span></p><div class="rssitemdescription">An item with<b>HTML</b>markup.</div></div>
\ No newline at end of file
+<div class="box rssfeed"><p class="rsschanneltitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://localhost/feed.xml">Test Feed 2</a></span><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://localhost/feed.xml"><img src="/xwiki/resources/icons/silk/feed.png" alt="/xwiki/resources/icons/silk/feed.png"/></a></span></p><p class="rssitemtitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://localhost/blog/item1">Item1</a></span></p><div class="rssitemdescription"><p>An item with<b>HTML</b>markup.</p></div></div>
\ No newline at end of file
  • xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-rss/src/test/resources/macrorss3.test+3 3 modified
    @@ -17,7 +17,7 @@ onWord [City]
 endLink [Typed = [true] Type = [url] Reference = [http://liftoff.msfc.nasa.gov/news/2003/news-starcity.asp]] [true]
 endParagraph [[class]=[rssitemtitle]]
 beginGroup [[class]=[rssitemdescription]]
-onRawText [How do Americans get ready to work with Russians aboard the International Space Station?] [xhtml/1.0]
+onRawText [<p>How do Americans get ready to work with Russians aboard the International Space Station?</p>] [html/5.0]
 endGroup [[class]=[rssitemdescription]]
 beginParagraph [[class]=[rssitemtitle]]
 beginLink [Typed = [true] Type = [url] Reference = [http://liftoff.msfc.nasa.gov/]] [true]
@@ -27,12 +27,12 @@ onWord [Exploration]
 endLink [Typed = [true] Type = [url] Reference = [http://liftoff.msfc.nasa.gov/]] [true]
 endParagraph [[class]=[rssitemtitle]]
 beginGroup [[class]=[rssitemdescription]]
-onRawText [Sky watchers in Europe, Asia, and parts of Alaska and Canada.] [xhtml/1.0]
+onRawText [<p>Sky watchers in Europe, Asia, and parts of Alaska and Canada.</p>] [html/5.0]
 endGroup [[class]=[rssitemdescription]]
 endGroup [[class]=[rssfeed]]
 endMacroMarkerStandalone [testrss] [feed=file://feed1.xml|content=true|count=2|decoration=false|encoding=UTF-8]
 endDocument
 .#-----------------------------------------------------
 .expect|xhtml/1.0
 .#-----------------------------------------------------
-<div class="rssfeed"><p class="rssitemtitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/news/2003/news-starcity.asp">Star City</a></span></p><div class="rssitemdescription">How do Americans get ready to work with Russians aboard the International Space Station?</div><p class="rssitemtitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/">Space Exploration</a></span></p><div class="rssitemdescription">Sky watchers in Europe, Asia, and parts of Alaska and Canada.</div></div>
\ No newline at end of file
+<div class="rssfeed"><p class="rssitemtitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/news/2003/news-starcity.asp">Star City</a></span></p><div class="rssitemdescription"><p>How do Americans get ready to work with Russians aboard the International Space Station?</p></div><p class="rssitemtitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://liftoff.msfc.nasa.gov/">Space Exploration</a></span></p><div class="rssitemdescription"><p>Sky watchers in Europe, Asia, and parts of Alaska and Canada.</p></div></div>
\ No newline at end of file
  • xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-rss/src/test/resources/macrorss4.test+27 0 added
    @@ -0,0 +1,27 @@
+.runTransformations
+.#-----------------------------------------------------
+.input|xwiki/2.0
+.# Verify HTML filtering works.
+.#-----------------------------------------------------
+{{testrss feed="file://feed3.xml" content="true" count="2" decoration="false" encoding="UTF-8"/}}
+.#-----------------------------------------------------
+.expect|event/1.0
+.#-----------------------------------------------------
+beginDocument
+beginMacroMarkerStandalone [testrss] [feed=file://feed3.xml|content=true|count=2|decoration=false|encoding=UTF-8]
+beginGroup [[class]=[rssfeed]]
+beginParagraph [[class]=[rssitemtitle]]
+beginLink [Typed = [true] Type = [url] Reference = [http://localhost/blog/item1]] [true]
+onWord [Item1]
+endLink [Typed = [true] Type = [url] Reference = [http://localhost/blog/item1]] [true]
+endParagraph [[class]=[rssitemtitle]]
+beginGroup [[class]=[rssitemdescription]]
+onRawText [<p>An item with <a>dangerous</a> <b>HTML</b>markup.</p>] [html/5.0]
+endGroup [[class]=[rssitemdescription]]
+endGroup [[class]=[rssfeed]]
+endMacroMarkerStandalone [testrss] [feed=file://feed3.xml|content=true|count=2|decoration=false|encoding=UTF-8]
+endDocument
+.#-----------------------------------------------------
+.expect|xhtml/1.0
+.#-----------------------------------------------------
+<div class="rssfeed"><p class="rssitemtitle"><span class="wikiexternallink"><a class="wikimodel-freestanding" href="http://localhost/blog/item1">Item1</a></span></p><div class="rssitemdescription"><p>An item with <a>dangerous</a> <b>HTML</b>markup.</p></div></div>
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.