GHSA-r5xw-gcgw-hwp5: YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes
Summary
YesWiki's Bazar widget handler reflects the id GET parameter into HTML attributes using strip_tags() only. Because strip_tags() does not escape double quotes, an attacker can break out of the attribute value, inject an event handler such as onmouseover, and execute arbitrary JavaScript in the victim's browser.
This issue is reachable without authentication. During validation, the vulnerable widget route returned the injected HTML for both /HomePage/widget?id=... and /NoSuchPage/widget?id=..., which shows that no login, no page ownership, no edit rights, and not even a valid page tag were required. The only routing prerequisite observed was that the Bazar extension is enabled and the request includes an id parameter.
Details
The primary sink is in tools/bazar/presentation/templates/widget.tpl.html around lines 4-7, where $_GET['id'] is inserted into the data-formid attribute:
data-formid="<?php echo strip_tags($_GET['id']); ?>"
strip_tags() is not an output-encoding function. It removes HTML tags, but it does not escape characters such as double quotes, so an attacker can terminate the data-formid attribute and inject new attacker-controlled attributes.
The route is served by tools/bazar/handlers/__WidgetHandler.php around lines 14-26, which only checks whether $_GET['id'] is present:
if (!isset($_GET['id'])) {
return null;
}
No HasAccess('read'), HasAccess('write'), or authentication check is performed before the vulnerable template is rendered.
There is also a second reflection path in the same handler. The handler builds:
$urlParams = 'id=' . strip_tags($_GET['id']) . ...
and then places the resulting value into the widget template's data-iframeUrl attribute:
data-iframeUrl="<?php echo $GLOBALS['wiki']->href('bazariframe', '', $urlparams, false); ?>"
During validation, a single payload injected into id was reflected into both data-formid and data-iframeUrl, which confirms that the handler exposes multiple attribute-level sinks from the same uns
Details
Original advisory: https://github.com/advisories/GHSA-r5xw-gcgw-hwp5
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-52774 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10