xwiki, html macro tag and unwanted javascript

xwiki – by default – allows contributors to embed arbitrary html, including javascript. it does not take much effort to include something like: then you just need to lure your victim into visiting given wiki page while being logged – you’ll get a http request containing that person’s cookie that can be re-used to impersonate ... Read More