Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-41505

Service Builder persistence class does not properly escapes localized input fields with HTML when AntiSamy hook is deployed

Details

    • 3

    Description

      Consider a field on a Service Builder entity which is both localized and expected to receive HTML (for example, by having the "EDITOR" hint collection on the portlet-model-hints.xml file)

      <field name="content" type="String" localized="true">
      	<hint-collection name="EDITOR" />
      </field>
      

      Now, suppose a user adds the a <sanitizer> hint in this field element aimed to sanitize HTML (as below):

      <field name="content" type="String" localized="true">
      	<hint-collection name="EDITOR" />
      	<sanitize content-type="text/html" modes="ALL" />
      </field>
      

      If the AntiSamy hook is deployed (and it should be since it is responsible for such sanitizing) then the described field will not be properly escaped: the expected HTML content will be completely escaped in the database instead of only having malicious code removed. If the field was not localized, it would be properly escaped.

      Steps to reproduce

      1. Create a portlet
      2. Create an Service Builder entity with two String fields: a localized one and a non-localized one (see service.xml)
      3. run ant build-service
      4. Edit portlet-model-hints.xml, adding both the hint collection EDITOR and the described sanitizer to both entities (see portlet-model-hints.xml)
      5. Create a JSP page to both list all created entities (presenting each of their both fields) as well as to create new ones (see view.jsp)
      6. Create a portlet class to save the entities (see NELTPortlet.java)
      7. Deploy the AntiSamy hook on the portal.
      8. Deploy the portlet; add it to a page.
        • We will get a screen as the one below.
      9. Add the content "bold string" on both inputs. Make sure the word "bold is really bold, as presented below.
      10. Submit the form

      Expected results

      • The two strings will be displayed with the "bold" word in bold face.
      • No tag will be presented in the displayed content.
      • The result of select description from Post and select content from Post will be both "<b>bold</b> string"

      Actual results

      • The "bold" word is not in bold face in the displaying of the content field.
      • The content field is presented with the "<b>" tags visible to the user.
        • Both occurrences are visible in this screenshot:
      • The result of select description from Post is "<b>bold</b> string" but the result of select content from Post is "&lt;b&gt;bold&lt;/b&gt; string"

      Attatchents

      In addition to the source files and screenshots mentioned below, the portlet used for reproducing this bug is attached both as a zip file exported from Eclipse as well as a WAR file.

      Attachments

        1. bad-escape.png
          bad-escape.png
          10 kB
        2. NELTPortlet.java
          1 kB
        3. not-escaping-localized-text-portlet.zip
          140 kB
        4. not-escaping-localized-text-portlet-6.2.0.1.war
          135 kB
        5. portlet-model-hints.xml
          0.4 kB
        6. service.xml
          0.5 kB
        7. two-fields.png
          two-fields.png
          34 kB
        8. view.jsp
          1 kB

        Issue Links

          Activity

            People

              support-lep@liferay.com SE Support
              adam.brandizzi Adam Brandizzi
              Kiyoshi Lee Kiyoshi Lee
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                39 weeks, 5 days ago

                Packages

                  Version Package