fix(security): escape user names in admin Users panel — stored-XSS keystone (chain PR 7)#36357
fix(security): escape user names in admin Users panel — stored-XSS keystone (chain PR 7)#36357mbiuki wants to merge 1 commit into
Conversation
…ored XSS (private-issues#651) User first/last names are attacker-controllable and were rendered as HTML in the admin Users panel, enabling stored XSS that runs in the admin session. - Add an escaping formatter to the users DataGrid name/email columns (list rows). - Render the profile-detail full name and user id via textContent instead of innerHTML. This is the keystone fix that breaks the reported XSS->RCE chain at the render sink; server-side name validation is added separately in the UserAPIImpl path. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
❌ Linked Issue Needs Team LabelThis PR is linked to issue #651, but that issue has no How to fix this:Apply a This comment was automatically generated by the issue linking workflow |
|
Claude finished @mbiuki's task in 56s —— View job Rollback Safety Analysis — PR #36357
Result: ✅ Safe to RollbackThe single changed file is Changes reviewed:
No changes to:
The fix is a pure output-encoding change at the browser rendering layer. Rolling back to the previous release simply reverts the JSP to its prior state — no data is written, no schema is changed, and no contract is altered. N-1 starts and operates identically to before N was deployed. |
🤖 dotBot Review (Bedrock)Reviewed 1 file(s); 1 candidate(s) → 0 confirmed, 0 uncertain (unverified, kept for review). ✅ No issues found after verification. us.deepseek.r1-v1:0 · Run: #28387443835 · tokens: in: 6214 · out: 1994 · total: 8208 · calls: 3 · est. ~$0.019 |
Security fix — XSS→RCE chain, render/output-encoding layer (tracking: dotCMS/private-issues#651)
Class: Stored XSS (CWE-79) · Severity: Critical (chain keystone) · Routing: Team : Maintenance
Problem
The admin Settings → Users panel rendered user-controlled first/last names as HTML, so a low-privilege user could store a payload via
PUT /api/v1/users/currentthat executes in the admin browser session — the entry point of the reported XSS→RCE chain (deploys an OSGi bundle via the admin session).Sinks in
view_users_js_inc.jsp:DataGridname/email columns (no formatter → Dojo renders cell value as HTML) — the list rows.dojo.query('.fullUserName') … innerHTML = user.name— profile detail.userIdValue.innerHTML = user.id.Fix
escapeGridHtmlformatter to the grid name/email columns.textContentinstead ofinnerHTML.Why this is the keystone
Output encoding at the sink is the canonical stored-XSS fix and breaks the chain even though the input filter is bypassable (the report used a field-split bypass). Pairs with the server-side validation PR (#36356) as defense-in-depth.
Verification
innerHTML→textContentand an escaping grid formatter are behavior-preserving for legitimate names.