### Impact
HTML rendering didn’t check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax.
### Patches
This has been patched in XWiki 14.6 RC1.
### Workarounds
There are no known workarounds apart from upgrading to a fixed version.
### References
* https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1
* https://jira.xwiki.org/browse/XRENDERING-663
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:security@xwiki.org)Read More