Site Pages can be created with any name currently, as long as they are not null. Although there is some protection to prevent them from running upon loading pages, they can still be executed within the context of navigation menus because when the sidebar loads its pointer to a Site Page and its name, it is not properly sanitized, so if a Site Name is a script, it will run the script.
Although it is unclear how dangerous this interaction can be, it is not a bad idea to prevent it from existing to prevent any security risks from being an issue.
Steps to Reproduce:
- Add a Site Page with its name as your script inside <script> </ script> tags
(i.e.: <script> x = document.cookie; alert; </script>)
- Go to Site Administration > Navigation > Navigation Menus
- Navigate into Default Navigation Menu
- Add your scripted site page name into the custom navigation menu multiple times
- Click on your scripted site page.
Script not runnable
Tomcat 9.0.6 + MySQL 5.7
Portal master GIT ID: 13c6a6b4f26effb5d42e82db120c60a8698ae071