Details

    • Bug
    • Status: Open
    • Resolution: Unresolved
    • 7.4.2 CE GA3, Master
    • None
    • None
    • Windows 10
    • Oracle Sun JDK 8
    • Apache Tomcat 9.0.x
    • Accessibility

    Description

      Description

      We are dealing with XSS in our HTML editors. That is why we have implemented AntiSamy sanitizer to cleanup incoming HTML structure. But in our editors are videos supported.

      Impact

      Video tag is removed after sanitation.

      Exploitation

      Prepare HTML structure with video tag e.g.
      <p><video controls="" src="sample01.mp4"> </video></p>

      Use sanitizer on it.
      SanitizerUtil.sanitize(
      user.getCompanyId(), groupId, userId, className,
      resourceId, ContentTypes.TEXT_HTML, Sanitizer.MODE_XSS, content,
      null);

      Content after sanitation will be:
      <p></p>

      Remediation

       

      Add support for video tag to AntiSamy configuration:
      https://github.com/liferay/liferay-portal/blob/master/modules/apps/portal-security/portal-security-antisamy/src/main/resources/META-INF/resources/sanitizer-configuration.xml

       

      Attachments

        Activity

          People

            support-lep@liferay.com SE Support
            suchanek.vaclav999 Václav Suchánek
            Kiyoshi Lee Kiyoshi Lee
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              1 year, 7 weeks, 3 days ago

              Packages

                Version Package