[LPS-151435] Workflow Source is allowing user to turn code into characters - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: Master
Fix Version/s: 7.4.3.41 CE GA41, Master
Component/s: Workflow
Labels:

Fix Priority:
3
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/122174

Description

Description:
Workflow Source is allowing user to turn code into characters

Steps to Reproduce:

Go to Workflow > Process Builder
Add a New Workflow and go to Source View

Import the attached xml file and see the tag

<name>&apos;&quot;&gt;&lt;script&gt;alert(/def-name/)&lt;/script&gt;</name>

Click on Diagram View button
Click on Source view button

Expected Result:
The tag name should remain

<name>&apos;&quot;&gt;&lt;script&gt;alert(/def-name/)&lt;/script&gt;</name>

Actual Result:
The tag name has changed to

<name>'"><script>alert(/def-name/)</script></name

Verified on master : 3e03bc665911e43653095ffb59c1b94fe5a6d994

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

xss-workflow-definition.xml
1 kB
14/Jul/22 11:07 AM

Activity

People

Assignee:: Henrique Pereira

Reporter:: Ana Buchmann

Participants of an Issue:: Ana Buchmann, Henrique Pereira

Recent user:: Felipe Lins

Engineering Assignee:: Henrique Pereira

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 12/Apr/22 1:48 PM

Updated:: 26/Oct/22 10:02 AM

Resolved:: 25/Aug/22 8:03 AM

Days since last comment:: 1 year, 6 weeks, 6 days ago

Packages

Version	Package
7.4.3.41 CE GA41
Master