Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-41581

Wiki XSS scripting issue with html text-type

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Won't Fix
    • Affects Version/s: 6.1.20 EE GA2
    • Fix Version/s: 6.1.20 EE GA2
    • Labels:
    • Environment:
      LIFERAY VERSION: 6.1 GA2
      OPERATING SYSTEM: Windows Server 2008
      APPLICATION SERVER: Tomcat 6.0
      JAVA VIRTUAL MACHINE: Java 6
      DATABASE: Oracle 11.2

      Description

      Description

      Via the wiki portlet, one can input script via HTML text-type when editing or adding wiki entry. After the input, the javascript will be run if a user click on the link created from the HTML text-type.

      Steps to Reproduce

      1)Create or edit a wiki post
      2) Go to "source" view
      3) add the following line in "HTML format.
      <a href="javascript:alert(3002)">link here</a></p>
      4) Click publish.
      5) Notice the displayed link, and click on it.
      6) You receive a popup that says "3002."

        Attachments

          Activity

            People

            Assignee:
            samuel.kong Samuel Kong
            Reporter:
            ira.chui Ira Chui
            Participants of an Issue:
            Recent user:
            Esther Sanz
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              7 years, 2 weeks ago

                Packages

                Version Package
                6.1.20 EE GA2