Details

    • Type: Bug
    • Status: Closed
    • Resolution: Duplicate
    • Affects Version/s: 5.2.X EE
    • Fix Version/s: 5.2.X EE
    • Labels:
    • Environment:
      Tomcat 6.0.32 + MySQL 5. 5.2.x Revision 84424

      Description

      XSS issue where if you add the following line into a message board thread and open it, java script is executed: [img]asd[font= onerror=alert(/XSS/.source)//]FF[/font][/img]

      Steps
      1. Hot deploy the hook plugin:
      2. Deploy the hook plugin "antisamy-hook".
      3. Login into Liferay
      4. Add a Message Boards portlet.
      5. Add a new thread and enter for the body: "[img]asd[font= onerror=alert(/XSS/.source)//]FF[/font][/img]" and click save
      6. Click back into the thread

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              steven.cao Steven Cao (Inactive)
              Reporter:
              albert.lee Albert Lee (Inactive)
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                11 years, 9 weeks, 1 day ago

                  Packages

                  Version Package
                  5.2.X EE