Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-21530

Localized properties are never escaped using toEscapedModel

    Details

      Description

      In the past (LEP-4270), it was created method toEscapedModel() in all object models to prevent the portal from XSS attacks. This method returned a java object with several escaped properties.

      Later, they were created i18 properties like Title or Description. These properties weren't returned escaped in toEscapedModel because were XML, instead of that in the getXXX methods it was checked isEscapedModel boolean which indicates if the object had been escaped (this variable was set to true in toEscapedModel() method), in this case it was returned the property escaped:
      if (isEscapedModel())

      { return HtmlUtil.escape(value); }

      else

      { return value; }

      Finally, the creation of this java object in toEscapedModel() was replaced by the use of a java proxy object (probably in LPS-8833) and isEscapedModel boolean is always "false". Therefore i18 properties are never escaped.

      I think we should use @AutoEscape annotations to escape that kind of properties and remove old functionality (isEscapedModel)

      Steps to reproduce (one of the cases):
      1- Create a category with the title <script type="text/javascript">alert(123);</script>
      2- Go to page and add Categories Navigation portlet
      3- popup is displayed with the text 123

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              paul.piao Paul Piao (Inactive)
              Reporter:
              alberto.chaparro Alberto Chaparro
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                10 years, 4 weeks, 6 days ago

                  Packages

                  Version Package
                  --Sprint 12/11
                  6.1.0 CE RC1