Prevent redirections to untrusted domains

Last modified by Simon Urli on 2021/04/19

Redirections are now only performed to trusted domains in XWiki. The list of trusted domains is obtained from two sources:

  1. any URLs used to access the wiki is considered as trusted, as well as all the aliases used for subwikis,
  2. it's possible to specify in xwiki.properties the list of trusted domain by setting the property url.trustedDomains.

If a redirection is attempted to an URL whose domain does not belong to any of this source, a warning log will be output and the redirect is prevented. Note that it's possible to switch off this security mechanism by setting the property url.trustedDomainsEnabled to false.

Tags:
   

Get Connected