Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-8165

HTML elements viewed in 'Activities Portlet' are being escaped.

    Details

      Description

      1) Login as 'test@liferay.com' / 'test'.
      2) Navigate to 'My Community Public Page'.
      3) Add a Page.
      4) Add the 'Activities Portlet' and the 'Blogs Portlet'.
      5) Add a blog entry with the following titles:

      <script>alert(document.domain)</script>
      <script>alert(document.domain)
      <script>alert(document.domain)</script>
      <script>alert(document.domain)

        • Notice if you view these entries in the Activities portlet the HTML will be escaped **
        • the entries will be displayed like the following: **

      <script>alert(document.domain)</script>
      <script>alert(document.domain)

      alert(document.domain)

      I've attached a picture of what they will look will be displayed.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              paul.piao Paul Piao (Inactive)
              Reporter:
              michael.hashimoto Michael Hashimoto
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                9 years, 10 weeks, 3 days ago

                  Packages

                  Version Package
                  6.1.1 CE GA2
                  6.1.20 EE GA2
                  --Sprint 11/12
                  6.2.0 CE M2