Stored cross-site scripting via RSS feed in splitbrain/dokuwiki


Reported on

May 13th 2023


Due to the improper handling of RSS titles in inc/parser/xhtml.php, a malicious RSS feed can be used to inject arbitrary HTML elements into the page, resulting in cross-site scripting.

inc/parser/xhtml.php line 1292-1294

                } else {
                    $this->doc .= ' '.$item->get_title();

Proof of Concept

<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="" xml:lang="en-US">
    <title type="text">test</title>
        <title type="html"><![CDATA[<svg><animate onbegin=alert(document.domain) attributeName=x dur=1s></animate></svg>]]></title>

Steps to reproduce

1​. Write the following contents to a page: (This URL contains the PoC above.)


2​. Confirm that alert(document.domain) is executed after saving the page.


An attacker can execute arbitrary JavaScript on Dokuwiki origin. Since administrators can install plugins, this could result in remote code execution if the administrator opens a page with crafted content.

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. 7 months ago
A GitHub Issue asking the maintainers to create a exists 7 months ago
We have contacted a member of the splitbrain/dokuwiki team and are waiting to hear back 7 months ago
Andreas Gohr
7 months ago


Thanks for the report. Fix is in progress

Andreas Gohr validated this vulnerability 7 months ago
RyotaK has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andreas Gohr marked this as fixed in 2023-04-04a with commit 53df38 7 months ago
Andreas Gohr has been awarded the fix bounty
This vulnerability will not receive a CVE
Andreas Gohr published this vulnerability 7 months ago
xhtml.php#L1292-L1294 has been validated
7 months ago


Hi @splitbrain, thank you so much for fixing this issue! Can you please assign a CVE ID for this?

to join this conversation