[LPS-71763] svg xlink:href is not allowed to point to an external domain - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 7.0.X EE, Master
Fix Version/s: 7.0.0 DXP FP14, 7.0.0 DXP SP3, 7.0.3 CE GA4, 7.0.X EE, 7.1.X, Master
Component/s: ~[Archived] UI Taglibs
Labels:
- liferay-digital-enterprise-70-sp3
- liferay-fixpack-de-14-7010

Branch Version/s:

7.0.x
Backported to Branch:

Committed
Fix Priority:
4
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/48453

Description

Steps to Reproduce

Add an entry to your system's hosts file for abc.com that points to your local server.

Create a portal-ext.properties file with at least the following properties:

redirect.url.ips.allowed=
cdn.host.http=http://abc.com:8080/
cdn.dynamic.resources.enabled=false

Startup Liferay and visit http://localhost:8080/

Expected behavior is that there are no errors in the Javascript console. Actual behavior is there are errors in the Javascript console due to the SVGs being created with an xlink:href pointing to the CDN URL, which is not allowed. See this comment on svg4everybody for more information.

https://github.com/jonathantneal/svg4everybody/issues/16#issuecomment-225315731

Potential Problematic Files

Running a grep against the source code for xlink:href reveals the following places that need to be updated and tested:

git ls-files | grep -F '.java' | tr '\n' '\0' | xargs -0 grep -Fl 'xlink:href'

util-taglib/src/com/liferay/taglib/aui/ATag.java
util-taglib/src/com/liferay/taglib/aui/IconTag.java

 git ls-files | grep -F '.js' | tr '\n' '\0' | xargs -0 grep -Fl 'xlink:href' | grep -vF '.task-cache'

modules/apps/forms-and-workflow/dynamic-data-mapping/dynamic-data-mapping-type-text-localizable/src/main/resources/META-INF/resources/text_localizable.soy.js
modules/apps/foundation/frontend-js/frontend-js-web/src/main/resources/META-INF/resources/liferay/alert.js
modules/apps/foundation/frontend-js/frontend-js-web/src/main/resources/META-INF/resources/liferay/fullscreen_source_editor.js
modules/apps/foundation/frontend-js/frontend-js-web/src/main/resources/META-INF/resources/liferay/upload.js
modules/apps/foundation/frontend-js/frontend-js-web/src/main/resources/META-INF/resources/liferay/util.js
modules/apps/foundation/frontend-js/frontend-js-web/src/main/resources/META-INF/resources/liferay/util_window.js
modules/apps/foundation/frontend-taglib/frontend-taglib/src/main/resources/META-INF/resources/diff_version_comparator/js/diff_version_comparator.js
modules/apps/marketplace/marketplace-app-manager-web/src/main/resources/META-INF/resources/icon.jsp

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

7.0 pass.jpg
47 kB
11/May/17 1:11 AM
master pass.jpg
19 kB
11/May/17 1:11 AM

Issue Links

relates

LPS-72903 Lexicon icons.svg missing Access-Control-Allow-Origin header

Closed

Activity

People

Assignee:: Steven Gao (Inactive)

Reporter:: Minhchau Dang

Participants of an Issue:: Chema Balsas, Minhchau Dang, Robert Frampton, Steven Gao

Recent user:: Csaba Turcsan

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 06/Apr/17 12:20 PM

Updated:: 10/May/19 1:00 AM

Resolved:: 20/Apr/17 9:13 AM

Days since last comment:: 4 years, 29 weeks, 5 days ago

Packages

Version	Package
7.0.0 DXP FP14
7.0.0 DXP SP3
7.0.3 CE GA4
7.0.X EE
7.1.X
Master