Details

    • Branch Version/s:
      6.1.x
    • Backported to Branch:
      Committed
    • Fix Priority:
      4

      Description

      Reproduction steps:

      • Deploy AntiSamy Hook
      • Add Wiki Portlet to a page
      • Edit Front page and choose for HTML format
      • Click on Source and add some XSS ("><script>alert('Wiki Page Preview');</script>)
      • Save the page
      • Content has been sanitized OK
      • Edit the page again as previously
      • Click the Preview button

      The alert message is displayed.

        Issue Links

          Activity

          Hide
          kenji.heigel Kenji Heigel added a comment -

          Committed on:
          Portal 6.1.x EE GIT ID: fa24999015f6ffdb29620838226f2ee20202de9d.
          Portal 6.2.x GIT ID: d10c9eada83ab17611a59d448927820abe60a336.

          Show
          kenji.heigel Kenji Heigel added a comment - Committed on: Portal 6.1.x EE GIT ID: fa24999015f6ffdb29620838226f2ee20202de9d. Portal 6.2.x GIT ID: d10c9eada83ab17611a59d448927820abe60a336.
          Hide
          kenji.heigel Kenji Heigel added a comment -

          PASSED Manual Testing following the steps in the description.

          Reproduced on:
          Tomcat 7.0.27 + MySQL 5. Portal 6.1.x EE GIT ID: f513cc6488dd6bbcbe295e0b7b86f9b1cef47af2.
          Plugins 6.1.x EE GIT ID: 32aab040a271633cd74777a515baa9c93efef0cd.
          Tomcat 7.0.27 + MySQL 5. Portal 6.2.x GIT ID: b8b08350ea430cb0b6a601d1b88a3272436efaad.
          Plugins 6.2.x GIT ID: de5c6d7ccdc0a49f4fb8a7de0c7be4f6eaed80c5.

          With the AntiSamy Hook deployed, the XSS popup appears after clicking preview.

          Fixed on:
          Tomcat 7.0.27 + MySQL 5. Portal 6.1.x EE GIT ID: fa24999015f6ffdb29620838226f2ee20202de9d.
          Plugins 6.1.x EE GIT ID: 32aab040a271633cd74777a515baa9c93efef0cd.
          Tomcat 7.0.27 + MySQL 5. Portal 6.2.x GIT ID: 8dec877554fa4078bf77006b3a8875c55af3cb31.
          Plugins 6.2.x GIT ID: de5c6d7ccdc0a49f4fb8a7de0c7be4f6eaed80c5.

          With the AntiSamy Hook deployed, the XSS popup does not appear upon clicking preview.

          Show
          kenji.heigel Kenji Heigel added a comment - PASSED Manual Testing following the steps in the description. Reproduced on: Tomcat 7.0.27 + MySQL 5. Portal 6.1.x EE GIT ID: f513cc6488dd6bbcbe295e0b7b86f9b1cef47af2. Plugins 6.1.x EE GIT ID: 32aab040a271633cd74777a515baa9c93efef0cd. Tomcat 7.0.27 + MySQL 5. Portal 6.2.x GIT ID: b8b08350ea430cb0b6a601d1b88a3272436efaad. Plugins 6.2.x GIT ID: de5c6d7ccdc0a49f4fb8a7de0c7be4f6eaed80c5. With the AntiSamy Hook deployed, the XSS popup appears after clicking preview. Fixed on: Tomcat 7.0.27 + MySQL 5. Portal 6.1.x EE GIT ID: fa24999015f6ffdb29620838226f2ee20202de9d. Plugins 6.1.x EE GIT ID: 32aab040a271633cd74777a515baa9c93efef0cd. Tomcat 7.0.27 + MySQL 5. Portal 6.2.x GIT ID: 8dec877554fa4078bf77006b3a8875c55af3cb31. Plugins 6.2.x GIT ID: de5c6d7ccdc0a49f4fb8a7de0c7be4f6eaed80c5. With the AntiSamy Hook deployed, the XSS popup does not appear upon clicking preview.

            People

            • Assignee:
              kenji.heigel Kenji Heigel
              Reporter:
              tamas.molnar Tamas Molnar
              Recent user:
              Esther Sanz
              Participants of an Issue:
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                3 years, 51 weeks, 1 day ago

                Development

                  Subcomponents