Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-27520

Escaping used on entire URL rather than just non-trusted URL parts

    Details

      Description

      The usage of HtmlUtil.escape() & HtmlUtil.escapeAttribute() on the entire URL/href/src can cause problems when valid URL characters are escaped.

      For example:

      • Original URL: /folder/filename.ext?paramname1=paramvalue1&paramname2=paramvalue2&t=1337634334449
      • escape(URL): /folder/filename.ext?paramname1=paramvalue1&paramname2=paramvalue2&t=1337634334449
      • escapeAttribute(URL): /folder/filename.ext?paramname1=paramvalue1&paramname2=paramvalue2&t=1337634334449

      The & and & in this case causes the key/value pairs to become malformed:

      • Original URL: paramname2=paramvalue2
      • escape(URL): amp;paramname2=paramvalue2
      • escapeAttribute(URL): &paramname2

      The correct solution would be to escape only the parts of the URL that are non-trusted:

      <%
      ...
      String paramvalue1 = nonTrustedData.getDateValue1;
      paramvalue1 = HtmlUtil.escapeURL(paramvalue1);
      ...
      %>

      <link href="/trusted-path/trusted-file.ext?trustedparamname1=<%= paramvalue1 %>&trustedparamname2=<%= paramvalue2 %>&t=<%=someUtil.getTimestamp() %>" rel="stylesheet" type="text/css" />

      Also notice, in this example, the use of HtmlUtil.escapeURL() rather than HtmlUtil.escape(). As we are targeting only the query string values, % escaping is the appropriate usage here.

      A real example of where this needs to be fixed is below:
      File: [portal]\portal-web\docroot\html\common\themes\top_portlet_resources_css.jspf
      ...
      <%
      ...
      headerPortletCss = PortalUtil.getStaticResourceURL(request, curPortlet.getStaticResourcePath() + headerPortletCss, curRootPortlet.getTimestamp()
      ...
      %>
      ...
      <link href="<%= HtmlUtil.escape(headerPortletCss) %>" rel="stylesheet" type="text/css" />

      The example fix would involve modifying PortalUtil.getStaticResourceURL() to do the escaping of the query string values before it returns the URL.
      File: [portal]\portal-impl\src\com\liferay\portal\util\PortalImpl.java
      ...
      public String getStaticResourceURL(
      ...
      if ((parameterMap == null) || !parameterMap.containsKey("browserId")) {
      sb.append("&browserId=");
      sb.append(HtmlUtil.escapeURL(BrowserSnifferUtil.getBrowserId(request)));
      }

        Attachments

          Activity

            People

            Assignee:
            samuel.kong Samuel Kong
            Reporter:
            byran.zaugg Byran Zaugg (Inactive)
            Participants of an Issue:
            Recent user:
            Esther Sanz
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              9 years, 35 weeks, 4 days ago

                Packages

                Version Package
                --Sprint 11/12
                6.2.0 CE M2