Journal Article Editing does not escape user input

Details

Type: Bug
Status: Open
Priority: Critical
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Similar Issues:

Show 5 results

Description

User Input in Jounal Article Editing Text-Fields etc. is currently NOT escaped.

This allows editors to inject (harmful) code, i.e. going against CI defined by template, destroying whole site layout/design or even more evil things like injecting XSS Code.

In my opinion it's absolutly necessary to escape user input here - maybe expect Text Areas with WYSIWYG Editor, which allows HTML Code explicitly.

Injecting HTML Code is definitively possible and I promise that this works for SQL-Injections, too.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Fabian Barney added a comment - 11/Aug/08 2:40 AM - Restricted to

Did not find anything to edit this bug:
This issue affects Liferay version 5.1.0 at least.

Show

Fabian Barney added a comment - 11/Aug/08 2:40 AM - Restricted to Did not find anything to edit this bug: This issue affects Liferay version 5.1.0 at least.

Hide

Permalink

Gavin Wan added a comment - 11/Aug/08 7:48 PM - Restricted to

Hi Fabian,
The text is in a <![CDATA[ ]]> wrap.
it's can not be save if the ' ]]>' in the text.
02:41:35,765 ERROR [JournalUtil:710] org.dom4j.DocumentException: Error on line 1 of document : The character sequence "]]>" must not appear in content unless used to mark the end of a CDATA section. Nested exception: The character sequence "]]>" must not appear in content unless used to mark the end of a CDATA section.
How can i save the inject codes?

Show

Gavin Wan added a comment - 11/Aug/08 7:48 PM - Restricted to Hi Fabian, The text is in a <![CDATA[ ]]> wrap. it's can not be save if the ' ]]>' in the text. 02:41:35,765 ERROR [JournalUtil:710] org.dom4j.DocumentException: Error on line 1 of document : The character sequence "]]>" must not appear in content unless used to mark the end of a CDATA section. Nested exception: The character sequence "]]>" must not appear in content unless used to mark the end of a CDATA section. How can i save the inject codes?

Hide

Permalink

Raymond Auge added a comment - 11/Aug/08 8:22 PM - Restricted to

This should be something like a per-field flag during structure creation, allowing the possibility to produce completely locked down/scrubbed article input forms.

But, we definitely still want to allow unlimited scripting in many cases.

We're in the process of re-writing the Journal Article/Structure Editing UI, and will have configurable per-field validation somewhere in the mix. I can see this being implemented as a validation option (something like "[on|off] Escape Input").

Show

Raymond Auge added a comment - 11/Aug/08 8:22 PM - Restricted to This should be something like a per-field flag during structure creation, allowing the possibility to produce completely locked down/scrubbed article input forms. But, we definitely still want to allow unlimited scripting in many cases. We're in the process of re-writing the Journal Article/Structure Editing UI, and will have configurable per-field validation somewhere in the mix. I can see this being implemented as a validation option (something like " [on|off] Escape Input").

Hide

Permalink

Fabian Barney added a comment - 12/Aug/08 3:36 AM - Restricted to

Hi,

take a structurre with a text input field.
Now insert something like:

Heading <script type="text/javascript" >alert("Hello, I can rewrite the whole page via DOM.");</script>

Since you can rewrite via such an injected Javascript the whole page, you can insert/rewrite any code you like at any point.
The String "]]>" can also be injected by Javascript - just split it in two or more commands like
document.write("]]");
document.write(">");

But this is not necessary - you'll see it when trying the example above.

What Ray says about further extensions sounds good for me. Currently it's not a good idea to give somebody an editor role, when you do not 100% trust him/her.

Show

Fabian Barney added a comment - 12/Aug/08 3:36 AM - Restricted to Hi, take a structurre with a text input field. Now insert something like: Heading <script type="text/javascript" >alert("Hello, I can rewrite the whole page via DOM.");</script> Since you can rewrite via such an injected Javascript the whole page, you can insert/rewrite any code you like at any point. The String "]]>" can also be injected by Javascript - just split it in two or more commands like document.write("]]"); document.write(">"); But this is not necessary - you'll see it when trying the example above. What Ray says about further extensions sounds good for me. Currently it's not a good idea to give somebody an editor role, when you do not 100% trust him/her.

Hide

Permalink

Fabian Barney added a comment - 12/Aug/08 9:05 AM - Restricted to

Just another suggestion for a solution:
Give Template Designer an extra VM-Method like '$xyz.getEscapedData()'.

I think it should be sufficient when this method returns the same String as 'getData()' but finally passed through Apache Commons StringEscapeUtils.escapeHtml(String) method.

Show

Fabian Barney added a comment - 12/Aug/08 9:05 AM - Restricted to Just another suggestion for a solution: Give Template Designer an extra VM-Method like '$xyz.getEscapedData()'. I think it should be sufficient when this method returns the same String as 'getData()' but finally passed through Apache Commons StringEscapeUtils.escapeHtml(String) method.

People

Assignee:

SE Support

Reporter:

Fabian Barney

Vote (0)

Watch (1)

Dates

Created:

11/Aug/08 1:44 AM

Updated:

12/Aug/08 9:05 AM

Resolved:

12/Aug/08 9:05 AM

Agile

View on Board

~~LEP-3479~~	Double quotes breaks Journal Article text inputs (and propable others too)
~~LEP-5170~~	users cannot see save buttons for edit journal article
~~LEP-1274~~	Journal Content portlet does not display "Add Article" icon for non-admin user
~~LEP-3444~~	Image disappears when you edit the journal article
~~LEP-2669~~	Journal Article Permissioning