Last modified by Thomas Mortagne on 2024/03/15

This page aims at listing the specific things that a developer should be careful with to avoid introducing new vulnerabilities in scripts and extensions. All security topic related to administration of the wiki is located in the security page of the administrator guide.

Scripting and Escaping

The first vulnerability in scripts is the user inputs: any input that a user can provide could possibly be an open door to an attack. Either XSS when the content is output in an HTML context, or XWiki syntax injection when the syntax is injected, e.g., in a Velocity macro where parsing of the output is enabled (the default). It doesn't matter where in the output the user's input is used. Regardless if it is in a parameter, an HTML macro or a verbatim syntax, by including the respective closing syntax, user input can always close whatever syntax it is part of. The nested script macro protection is no protection against attacks. By putting the nested script macro, e.g., inside an async macro, the nested script macro protection can easily be circumvented as the async macro has its own parsing context.

So in order to mitigate this, developers should always ensure to use the proper escaping mechanism. The most important ways to escape content are:

  • $services.rendering.escape($content, 'xwiki/2.1') for XWiki syntax
  • $escapetool.xml($content) for HTML output. This can also be used in an HTML macro and escapes {, thereby preventing the closing of the HTML macro through user input.

Make sure you always test if escaping actually protects against attacks by writing appropriate tests.

xwiki/2.0 and xwiki/2.1 syntaxes

Link label

In XWiki syntax 2.0 and 2.1 the link is parsed in two passes, each pass having its own escaping:

  • the global link is first parsed with the label being just one big string
  • then the label is parsed on its own

What this means in practice is that when you need to escape something in the link label you need to escape it twice. For example if you want to print something that may contains wiki syntax as a link label you could do for example in Velocity:

  #set ($userContent = '{{mymacro/}}')
 #set ($escapedLabel = $services.rendering.escape($services.rendering.escape($userContent, 'xwiki/2.1'), 'xwiki/2.1'))
  [[label $escapedLabel>>Main.WebHome]]


It's impossible to properly escape content to put in verbatim syntax in syntaxes xwiki/2.0 and xwiki/2.1.

The simplest for this kind of use case is generally to use something like:

  $services.rendering.escape($doc.content, 'xwiki/2.1')

Code macro

It's impossible to properly escape content to put in code macro in syntaxes xwiki/2.0 and xwiki/2.1.

There are several alternatives if you need to highlight user input:

XWiki 14.10.2+

Use the source code macro parameter: instead of trying to escape the content you provide only a reference of a the content to highlight so no need to escape it anymore.

See Code Macro for more details.

XWiki <14.10.2

An alternative if you need to highlight user input is to return directly the MacroBlock instead of serializing it. For example in Groovy:

  return new org.xwiki.rendering.block.MacroBlock("code", ["language": "xml"], userInput, false)

Restricted Mode in macros

As explained in details in the documentation for writing macros, the Macro Transformation Context can be set in "Restricted Mode" and in your macro should respect this parameter (by checking macroContext.getTransformationContext().isRestricted()) and either not execute at all or execute in a restricted mode.

Protect against XXE attacks

Always follow the OWASP recommendations to protect against XXE attacks when parsing XML.

Right Checks in Script Services

Any code that is exposed as a script service needs to check the rights of the context author, i.e., the user who wrote the script, in addition to the context user, i.e., the user that is accessing the script. Currently, the only easy way to check rights of the context author is to check script or programming right using a contextual authorization manager. It takes important context information into account like if permissions have been dropped. In addition to that, all right checks that are done for the context user should be duplicated for the context author to ensure that no CSRF attacks are possible, i.e., there is no way to, e.g., write a script that executes a dangerous action as soon as a user with more rights accesses the document. It needs to be taken care that if permissions have been dropped, the context author cannot be trusted and thus no dangerous actions must be performed and no sensitive information must be disclosed.

If the script service exposes information or executes actions without further right checks, it must check for programming right of the context author.

Note that context author rights are currently not consistently enforced in XWiki, in particular there is no such concept in JavaScript. This is an area for future improvements, new code should still take context author rights into account.

Returning Data in Script Services

When returning any object in a script service, ensure that all its methods properly check access rights and don't allow modifying data without proper access right checks. Use wrapper objects to add right checks or hide dangerous methods. For example, returning an XWikiDocument is not safe as it allows modifying author information and executing the content with the new author.

Executing Code or XWiki Syntax

If possible, it should be avoided to introduce new code that directly executes (Velocity) code or XWiki syntax with transformations. Instead, existing APIs should be used, e.g., displaying a text area property instead of manually parsing the content of the property. If this should still be necessary, it is of utmost importance to:

  • Check that the author of the code has script right. Make sure you check the content author if the code is in the content of the document and the effective metadata author if the code is in an XObject.
  • Execute the code or transformations with the correct author in context. In Java, AuthorExecutor should be used for this. There is no way to do this in Velocity. There are hacks like dropPermissions but they are prone to security vulnerabilities and should thus be avoided.

Safe evaluation of objects

XWiki 14.10.21+, 15.5.5+, 15.10.2+

A new API has been introduced, allowing to specify exactly the XObjects properties that needs to be evaluated and how. 

This includes a new ObjectEvaluator component, that can be implemented with a hint matching the name of the XClass for which a safe evaluation is required. Implementations of ObjectPropertyEvaluator can be used to provide different evaluation strategies: an existing implementation already exists for Velocity evaluation of properties, with the hint velocity. For a full example of an ObjectEvaluator component, see the one for SearchSuggestSourceClass XClass.

Finally once the component is declared, the object properties can be safely evaluated by calling evaluate() on the object instance, which will return the map of evaluated properties.

Get Connected