Details

    • Type: Bug
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: 7.4.2 CE GA3, Master
    • Fix Version/s: None
    • Labels:
      None
    • OS:
      Windows 10
    • JDK:
      Oracle Sun JDK 8
    • Application Servers:
      Apache Tomcat 9.0.x

      Description

      Description

      We are dealing with XSS in our HTML editors. That is why we have implemented AntiSamy sanitizer to cleanup incoming HTML structure. But in our editors are videos supported.

      Impact

      Video tag is removed after sanitation.

      Exploitation

      Prepare HTML structure with video tag e.g.
      <p><video controls="" src="sample01.mp4"> </video></p>

      Use sanitizer on it.
      SanitizerUtil.sanitize(
      user.getCompanyId(), groupId, userId, className,
      resourceId, ContentTypes.TEXT_HTML, Sanitizer.MODE_XSS, content,
      null);

      Content after sanitation will be:
      <p></p>

      Remediation

       

      Add support for video tag to AntiSamy configuration:
      https://github.com/liferay/liferay-portal/blob/master/modules/apps/portal-security/portal-security-antisamy/src/main/resources/META-INF/resources/sanitizer-configuration.xml

       

        Attachments

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            suchanek.vaclav999 Václav Suchánek
            Participants of an Issue:
            Recent user:
            Václav Suchánek
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Days since last comment:
              14 weeks, 2 days ago

                Packages

                Version Package