Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-16922

XSS javascript appended to URL can be executed

    Details

      Description

      Steps to reproduce

      1) Startup a vanilla master bundle
      2) In any browser (without adblock or similar), visit
      http://localhost:8080/web/guest/-/xss'.replace('http://localhost:8080/web/guest/-/xss',eval('alert(String.fromCharCode(88,83,83))'));x='

      3) inspecting the html source of the page, the URL is not sanitized:

      getCanonicalURL: function(){
       return 'http://localhost:8080/-/xss'.replace('http://localhost:8080/web/guest/-/xss',eval('alert(String.fromCharCode(88,83,83))'));x='';
       },
      

       4) from the same browser tab, execute this javascript:
      themeDisplay.getCanonicalURL();

      Actual result: XSS popup
      Expected result: no XSS

      Reproduced on:
       master 

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                support-ee EE Support
                Reporter:
                roland.pakai Roland Pákai
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package