Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-16922

XSS javascript appended to URL can be executed

    Details

      Description

      Steps to reproduce

      1) Startup a vanilla master bundle
      2) In any browser (without adblock or similar), visit
      http://localhost:8080/web/guest/-/xss'.replace('http://localhost:8080/web/guest/-/xss',eval('alert(String.fromCharCode(88,83,83))'));x='

      3) inspecting the html source of the page, the URL is not sanitized:

      getCanonicalURL: function(){
       return 'http://localhost:8080/-/xss'.replace('http://localhost:8080/web/guest/-/xss',eval('alert(String.fromCharCode(88,83,83))'));x='';
       },
      

       4) from the same browser tab, execute this javascript:
      themeDisplay.getCanonicalURL();

      Actual result: XSS popup
      Expected result: no XSS

      Reproduced on:
       master 

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              support-ee EE Support
              Reporter:
              roland.pakai Roland Pákai
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package