Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-27994

XSS vulnerability on Document Library Types


    • Bug
    • Status: Closed
    • Resolution: Fixed
    • 6.1.0 CE GA1, 6.1.10 EE GA1


      Steps to reproduce:
      Case 1:
      1. Add New Document Type.
      2. Drag Main Metadata Fields, Text and Text Box, Save.
      3. Add a new document using this New Document Type.
      3. Fill out <script>alert("xss")</script> for Text and Text Box field. Save.
      4. Try to click on the document.

      Xss alert will display.
      In this case, text and Text Box have xss problem when creating New Document Type and adding New Data Definition in Dynamic Data List portlet.

      Case 2
      1. Add New Document Type with name "<script>alert("xss")</script>".
      2. Add document with this type.
      Note: Only fill out description with "<script>alert("xss")</script>" won't occur xss alert

      Xss alert will display when try to click on this document.

      Case 3:
      1. Add New Document Type with name "<script>alert("xss")</script>"
      2. Add an Asset Publish portlet.

      Xss alert will occur.

      Case 4.
      1. Add an Asset Publish portlet first.
      2. Add New Document Type with name "<script>alert("xss")</script>"
      3. Try to upload a document with this document type.

      Xss alert will occur.

      Console error:
      05:57:24,407 ERROR [MinifierUtil:109] 1: 10: Unexpected end of file
      05:57:24,408 ERROR [MinifierUtil:109] 1: 0: Compilation produced 1 syntax errors.
      05:57:24,409 ERROR [MinifierUtil:75] JavaScript Minifier failed for


        Issue Links



              justin.choi Justin Choi (Inactive)
              sophia.zhang Sophia Zhang
              Kiyoshi Lee Kiyoshi Lee
              0 Vote for this issue
              4 Start watching this issue


                10 years, 20 weeks, 6 days ago


                  Version Package
                  6.1.1 CE GA2
                  6.1.20 EE GA2
                  --Sprint 11/12
                  6.2.0 CE M2