Confluence Community Security Advisory 2006-01-19
There is a possibility of XSS exploitation of the Full Name user profile field when displayed.
The problem was unescaped outputting of the fullname - wrapping the output in $generalUtil.htmlEncode() resolve it. The vast majority of the problem can be resolved by changing
/confluence/template/includes/macros.vm in the distribution on the following lines:
I have attached the modified macros.vm file here which you can copy into your distribution.
There are other places which are still affected which Atlassian have been made aware of, a complete resolution should be provided by Atlassian in their own offical advisory.
I hope this helps some of you!
Was this helpful?
Thanks for your feedback!