Uploaded image for project: 'PUBLIC - Liferay Alloy UI'
  1. PUBLIC - Liferay Alloy UI
  2. AUI-980

Scheduler component is susceptible to XSS attack

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 2.0.x
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      One can insert content in the content of a calendar event which will be executed as JavaScript.

      Steps to reproduce

      1. Access http://alloyui.com/examples/scheduler/real-world/
      2. Click on the grid to create an event, as in the picture below:
      3. As the title of the event, insert

        "><img src="xx" onerror="alert('xss')" /><"

        with the quotes.

      4. Click in "Save"

      Expected results

      1. No alert dialog will pop up.
      2. The title of the event will be presented as below:

      Actual results

      1. An alert dialog appears as below, and the event title is presented as "> <"

        Attachments

        1. create-event.png
          create-event.png
          41 kB
        2. no-xss.png
          no-xss.png
          5 kB
        3. xss-popup.png
          xss-popup.png
          56 kB

          Activity

            People

            Assignee:
            ui_alloy UI Alloy
            Reporter:
            adam.brandizzi Adam Brandizzi
            Participants of an Issue:
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              8 years, 12 weeks, 5 days ago

                Packages

                Version Package