Skip to content

fix(security): escape user names in admin Users panel — stored-XSS keystone (chain PR 7)#36357

Draft
mbiuki wants to merge 1 commit into
mainfrom
issue-651-fix-users-panel-xss-encoding
Draft

fix(security): escape user names in admin Users panel — stored-XSS keystone (chain PR 7)#36357
mbiuki wants to merge 1 commit into
mainfrom
issue-651-fix-users-panel-xss-encoding

Conversation

@mbiuki

@mbiuki mbiuki commented Jun 29, 2026

Copy link
Copy Markdown
Member

Security fix — XSS→RCE chain, render/output-encoding layer (tracking: dotCMS/private-issues#651)

Class: Stored XSS (CWE-79) · Severity: Critical (chain keystone) · Routing: Team : Maintenance

Problem

The admin Settings → Users panel rendered user-controlled first/last names as HTML, so a low-privilege user could store a payload via PUT /api/v1/users/current that executes in the admin browser session — the entry point of the reported XSS→RCE chain (deploys an OSGi bundle via the admin session).

Sinks in view_users_js_inc.jsp:

  • Users DataGrid name/email columns (no formatter → Dojo renders cell value as HTML) — the list rows.
  • dojo.query('.fullUserName') … innerHTML = user.name — profile detail.
  • userIdValue.innerHTML = user.id.

Fix

  • Add an escapeGridHtml formatter to the grid name/email columns.
  • Render the detail full-name and user id via textContent instead of innerHTML.

Why this is the keystone

Output encoding at the sink is the canonical stored-XSS fix and breaks the chain even though the input filter is bypassable (the report used a field-split bypass). Pairs with the server-side validation PR (#36356) as defense-in-depth.

Verification

  • JSP/JS — not compiled by Maven; changes reviewed manually. innerHTMLtextContent and an escaping grid formatter are behavior-preserving for legitimate names.
  • Recommend a quick manual check in the admin Users panel (legacy Dojo grid) before merge.

⚠️ Draft. Publicly references an unpatched critical chain per maintainer instruction — coordinate with the security-advisory/release process before merge.

…ored XSS (private-issues#651)

User first/last names are attacker-controllable and were rendered as HTML in
the admin Users panel, enabling stored XSS that runs in the admin session.

- Add an escaping formatter to the users DataGrid name/email columns (list rows).
- Render the profile-detail full name and user id via textContent instead of
  innerHTML.

This is the keystone fix that breaks the reported XSS->RCE chain at the render
sink; server-side name validation is added separately in the UserAPIImpl path.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

❌ Linked Issue Needs Team Label

This PR is linked to issue #651, but that issue has no Team : * label. Every linked issue must be owned by a team for tracking and triage.

How to fix this:

Apply a Team : * label to the linked issue (e.g., Team : Scout, Team : Platform, Team : Falcon, Team : Maintenance). Then push a new commit or edit the PR description to re-run this check.


This comment was automatically generated by the issue linking workflow

@github-actions github-actions Bot added the Area : Backend PR changes Java/Maven backend code label Jun 29, 2026
@claude

claude Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Claude finished @mbiuki's task in 56s —— View job


Rollback Safety Analysis — PR #36357

  • Reading rollback-unsafe categories reference
  • Getting PR diff
  • Analyzing changes against unsafe categories
  • Applying label: AI: Safe To Rollback

Result: ✅ Safe to Rollback

The single changed file is dotCMS/src/main/webapp/html/portlet/ext/useradmin/view_users_js_inc.jsp — a JSP/JavaScript file that controls client-side rendering in the admin Users panel.

Changes reviewed:

Change Category check Verdict
Added escapeGridHtml JS function UI/JS only — no DB, ES, or API change ✅ Safe
Added formatter: escapeGridHtml to Dojo grid columns UI/JS only ✅ Safe
innerHTML → textContent for userIdValue UI/JS only ✅ Safe
innerHTML → textContent for .fullUserName elements UI/JS only ✅ Safe

No changes to:

  • Database schema or runonce tasks (C-1, C-2, C-3, C-4, H-1 through H-7)
  • Elasticsearch mappings (C-2)
  • Content JSON serialization model (C-3)
  • REST/GraphQL API contracts (M-3)
  • OSGi interfaces (M-4)
  • Push publishing bundle format (M-2)
  • VTL viewtool contracts (H-8)

The fix is a pure output-encoding change at the browser rendering layer. Rolling back to the previous release simply reverts the JSP to its prior state — no data is written, no schema is changed, and no contract is altered. N-1 starts and operates identically to before N was deployed.

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

🤖 dotBot Review (Bedrock)

Reviewed 1 file(s); 1 candidate(s) → 0 confirmed, 0 uncertain (unverified, kept for review).

✅ No issues found after verification.


us.deepseek.r1-v1:0 · Run: #28387443835 · tokens: in: 6214 · out: 1994 · total: 8208 · calls: 3 · est. ~$0.019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

AI: Safe To Rollback Area : Backend PR changes Java/Maven backend code

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

1 participant