Last modified by Vincent Massol on 2023/11/29 14:00

This page aims at listing both the design decisions that have been taken in XWiki Standard and that developers and users should be aware.
It will also list the specific things that a developer should be careful with to avoid introducing new vulnerabilities.

Security design decisions

Script Right

Several features of XWiki requires Script right to work: it's true for backend scripts, but it's also true for frontend scripts (i.e. JavaScript).
This decision for needing a specific right for those things is directly linked to the capability of a user to perform various kind of attacks by using those scripts: administrators should never give this right lightly. At least for now, script right provides ways, e.g., through JavaScript, to execute actions in the name of the current user. This might be fixed in the future as this is not the idea of script right but for now, take this into account when granting script right to a user. As a best practice, instead of using scripting macros and JavaScript in a lot of pages, create wiki macros that encapsulate these scripts and load the necessary JavaScript code.

Security by default

Developers must ensure that XWiki has secure configurations by default (without the user having to change configuration).

Technical aspects

Scripting and Escaping

The first vulnerability in scripts is the user inputs: any input that a user can provide could possibly be an open door to an attack. Either XSS when the content is output in an HTML context, or XWiki syntax injection when the syntax is injected, e.g., in a Velocity macro where parsing of the output is enabled (the default). It doesn't matter where in the output the user's input is used. Regardless if it is in a parameter, an HTML macro or a verbatim syntax, by including the respective closing syntax, user input can always close whatever syntax it is part of. The nested script macro protection is no protection against attacks. By putting the nested script macro, e.g., inside an async macro, the nested script macro protection can easily be circumvented as the async macro has its own parsing context.

So in order to mitigate this, developers should always ensure to use the proper escaping mechanism. The most important ways to escape content are:

  • $services.rendering.escape($content, 'xwiki/2.1') for XWiki syntax. Warning: this is not enough when the content is in a label of a link. There, you need to escape twice as the content is parsed twice.
  • $escapetool.xml($content) for HTML output. This can also be used in an HTML macro and escapes {, thereby preventing the closing of the HTML macro through user input.

Make sure you always test if escaping actually protects against attacks by writing appropriate tests.

xwiki/2.0 and xwiki/2.1 syntaxes


It's impossible to properly escape content to put in verbatim syntax in syntaxes xwiki/2.0 and xwiki/2.1.

The simplest for this kind of use case is generally to use something like:

  $services.rendering.escape($doc.content, 'xwiki/2.1')
Code macro

It's impossible to properly escape content to put in code macro in syntaxes xwiki/2.0 and xwiki/2.1.

There are several alternatives if you need to highlight user input:


Use the source code macro parameter: instead of trying to escape the content you provide only a reference of a the content to highlight so no need to escape it anymore.

See Code Macro for more details.


An alternative if you need to highlight user input is to return directly the MacroBlock instead of serializing it. For example in Groovy:

  return new org.xwiki.rendering.block.MacroBlock("code", ["language": "xml"], userInput, false)

Restricted Mode in macros

As explained in details in the documentation for writing macros, the Macro Transformation Context can be set in "Restricted Mode" and in your macro should respect this parameter (by checking macroContext.getTransformationContext().isRestricted()) and either not execute at all or execute in a restricted mode.

Protect against XXE attacks

Always follow the OWASP recommendations to protect against XXE attacks when parsing XML.

Right Checks in Script Services

Any code that is exposed as a script service needs to check the rights of the context author, i.e., the user who wrote the script, in addition to the context user, i.e., the user that is accessing the script. Currently, the only easy way to check rights of the context author is to check script or programming right using a contextual authorization manager. It takes important context information into account like if permissions have been dropped. In addition to that, all right checks that are done for the context user should be duplicated for the context author to ensure that no CSRF attacks are possible, i.e., there is no way to, e.g., write a script that executes a dangerous action as soon as a user with more rights accesses the document. It needs to be taken care that if permissions have been dropped, the context author cannot be trusted and thus no dangerous actions must be performed and no sensitive information must be disclosed.

If the script service exposes information or executes actions without further right checks, it must check for programming right of the context author.

Note that context author rights are currently not consistently enforced in XWiki, in particular there is no such concept in JavaScript. This is an area for future improvements, new code should still take context author rights into account.

Returning Data in Script Services

When returning any object in a script service, ensure that all its methods properly check access rights and don't allow modifying data without proper access right checks. Use wrapper objects to add right checks or hide dangerous methods. For example, returning an XWikiDocument is not safe as it allows modifying author information and executing the content with the new author.

Executing Code or XWiki Syntax

If possible, it should be avoided to introduce new code that directly executes (Velocity) code or XWiki syntax with transformations. Instead, existing APIs should be used, e.g., displaying a text area property instead of manually parsing the content of the property. If this should still be necessary, it is of utmost importance to:

  • Check that the author of the code has script right. Make sure you check the content author if the code is in the content of the document and the effective metadata author if the code is in an XObject.
  • Execute the code or transformations with the correct author in context. In Java, AuthorExecutor should be used for this. There is no way to do this in Velocity. There are hacks like dropPermissions but they are prone to security vulnerabilities and should thus be avoided.

Get Connected