[AUI-980] Scheduler component is susceptible to XSS attack - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: 2.0.x
Fix Version/s: None
Component/s: None
Labels:
- security
- xss

Description

One can insert content in the content of a calendar event which will be executed as JavaScript.

Steps to reproduce

Access http://alloyui.com/examples/scheduler/real-world/
Click on the grid to create an event, as in the picture below:
As the title of the event, insert

"><img src="xx" onerror="alert('xss')" /><"

with the quotes.
Click in "Save"

Expected results

No alert dialog will pop up.
The title of the event will be presented as below:

Actual results

An alert dialog appears as below, and the event title is presented as "> <"

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

create-event.png
41 kB
09/Sep/13 6:25 AM
no-xss.png
5 kB
09/Sep/13 6:25 AM
xss-popup.png
56 kB
09/Sep/13 6:25 AM

Activity

People

Assignee:: UI Alloy

Reporter:: Adam Brandizzi

Participants of an Issue:: Adam Brandizzi, UI Alloy

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 09/Sep/13 6:25 AM

Updated:: 20/Oct/14 9:09 AM

Resolved:: 09/Sep/13 1:29 PM

Days since last comment:: 8 years, 49 weeks, 6 days ago

Packages

Version	Package