[jira] [Commented] (JSPWIKI-519) Using Script on a JSPWiki page

Sun, 16 Nov 2025 03:12:28 -0800 


    [ 
https://issues.apache.org/jira/browse/JSPWIKI-519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18038649#comment-18038649
 ] 

Juan Pablo Santos Rodríguez commented on JSPWIKI-519:
-----------------------------------------------------

Following test passes, so inserting javascript should be allowed:

{code}
    @Test
    void testScriptWhenAllowed() throws Exception {
        final String src = "<script>alert(1)</script>";
        final Engine testEngine = TestEngine.build( with( 
"jspwiki.translatorReader.allowHTML", "true" ) );
        final Page page = Wiki.contents().page( testEngine, "testPage" );
        final String out = translate( testEngine, page, src );
        Assertions.assertEquals( "<script>alert(1)</script>", out );
    }
{code}

{{jspwiki.translatorReader.allowHTML}} is [set to 
false|https://github.com/apache/jspwiki/blob/master/jspwiki-main/src/main/resources/ini/jspwiki.properties#L244-L264]
 by default, but then we got a few security reports over the years stating that 
when enabling that property to true then malicious js could be injected. 

> Using Script on a JSPWiki page
> ------------------------------
>
>                 Key: JSPWIKI-519
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-519
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>         Environment: Using JSPWiki on Windows in Internet Explorer and Mozilla
>            Reporter: Stephen Thompson
>            Priority: Minor
>
> I'm working for a company that currently uses VQWiki and wants to convert 
> them to pages that are compatitble with and use JSPWiki. I have everything 
> converted, but some of the pages have some <script> in them. My main problem 
> is laying out some functions between one script tag, having some wiki mark 
> up, then referring to the previously defined function. Here's an example of 
> code, 
> {{<script>
> some script code
> function populateTable()
> {
> .......
> }
> </script>
> Example of Wikitext.......
> <script>
> populateTable()
> </script>}}
> When I view that page, and view the errors that are on that page, it says 
> object expected in line (whichever line the populateTable function is called 
> on), or in Mozilla, the error would be "populateTable is not defined." I've 
> checked all opening and closing parenthesis and brackets and all of that 
> stuff. I was wondering if there was something I am doing wrong, or if there 
> is something you could help me with.
> Thanks



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to