Details

      Description

      Quite effective XSS prevention is to "externalize" all inline scripts, i.e. move them into a dedicated JS files, and set CSP header to deny unsafe-inline. Even if developers follow this approach in custom modules, this policy cannot be applied because inline scripts are quite frequent in LR code. E.g. searching for '<script' in JSP/JSPF files in the LR master returns ca 170 files.
      While it is beneficial to escape all user inputs, if some are left unhandled, that CSP policy can still mitigate any damage. So from my POV that externalization should be a higher priority than patching individual XSS issues.
      170 files may seem as a huge number, but I hope in most cases it could be just copy/paste without significant refactoring.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              honyk Jan Tošovský
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package