Details

    • Branch Version/s:
      6.1.x
    • Backported to Branch:
      Committed
    • Fix Priority:
      3
    • Similar Issues:
      Show 4 results 

      Description

      1) Login as 'test@liferay.com' / 'test'.
      2) Navigate to 'My Community Public Page'.
      3) Add a Page.
      4) Add the 'Activities Portlet' and the 'Blogs Portlet'.
      5) Add a blog entry with the following titles:

      <script>alert(document.domain)</script>
      <script>alert(document.domain)
      <script>alert(document.domain)</script>
      <script>alert(document.domain)

        • Notice if you view these entries in the Activities portlet the HTML will be escaped **
        • the entries will be displayed like the following: **

      <script>alert(document.domain)</script>
      <script>alert(document.domain)

      alert(document.domain)

      I've attached a picture of what they will look will be displayed.

        Issue Links

          Activity

          Hide
          Michael Hashimoto added a comment -

          Reproduced in these environments:

          Tomcat 6.0 + MySQL. Firefox 3.5.7. Revision: 52581. Trunk.
          Tomcat 6.0 + MySQL. Firefox 3.5.7. Revision: 52581. 5.2.x.
          Tomcat 6.0 + MySQL. Firefox 3.5.7. Revision: 52581. 5.1.x.

          Show
          Michael Hashimoto added a comment - Reproduced in these environments: Tomcat 6.0 + MySQL. Firefox 3.5.7. Revision: 52581. Trunk. Tomcat 6.0 + MySQL. Firefox 3.5.7. Revision: 52581. 5.2.x. Tomcat 6.0 + MySQL. Firefox 3.5.7. Revision: 52581. 5.1.x.
          Hide
          Sergio Gonzalez added a comment -

          Method cleanContent(entry.getTitle()) is "unescaping" the blog entry title, so if the title of the blog entry is

          <script>alert(document.domain)</script>

          the string returned by the function cleanContent() is

          <script>alert(document.domain)</script>

          The reason why this is happening is because of HtmlUtil.extractText and the function getTextExtractor()

          Then, although the entry title is escaped, the result is not the expected one.

          Show
          Sergio Gonzalez added a comment - Method cleanContent(entry.getTitle()) is "unescaping" the blog entry title, so if the title of the blog entry is <script>alert(document.domain)</script> the string returned by the function cleanContent() is <script>alert(document.domain)</script> The reason why this is happening is because of HtmlUtil.extractText and the function getTextExtractor() Then, although the entry title is escaped, the result is not the expected one.
          Hide
          Michael Saechang added a comment -

          This has already been fixed and is no longer reproducible on the latest trunk.

          Tested on 6.1.x revision: 90917.

          Show
          Michael Saechang added a comment - This has already been fixed and is no longer reproducible on the latest trunk. Tested on 6.1.x revision: 90917.
          Hide
          Amos Fong added a comment -

          Charles,

          It can't be used as exploit because it's escaped again before it is displayed.

          Show
          Amos Fong added a comment - Charles, It can't be used as exploit because it's escaped again before it is displayed.
          Hide
          Michael Saechang added a comment -

          Committed on:
          Portal 6.1.x CE GIT ID: c766aa61bdb8463cd9d78461595afa44894de88b.
          Portal 6.2.x GIT ID: d60f427819145bf183c428b59df05d5c5a437da6.

          Show
          Michael Saechang added a comment - Committed on: Portal 6.1.x CE GIT ID: c766aa61bdb8463cd9d78461595afa44894de88b. Portal 6.2.x GIT ID: d60f427819145bf183c428b59df05d5c5a437da6.
          Hide
          Paul Piao (Inactive) added a comment -

          PASSED Manual Testing following the steps in the description.

          Reproduced on:
          Tomcat 7.0 + MySQL 5. Portal 6.1.10 EE GA1.

          I can see the attachment error "activitiesescapecharacters.PNG". Activities Portlet not display "<script>alert(document.domain)</script>".

          Fixed on:
          Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 6a924268fafee0af22f9b81a85dcadce8730965b.
          Tomcat 7.0 + MySQL 5. Portal 6.1.x CE GIT ID: 31508f41a8a062b6f9aeb87b5b62965e53f4f36f.
          Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: bd0ac55267f6511e477cdd37d797a10417a48f3e.

          Activities Portlet display "<script>alert(document.domain)</script>".

          Show
          Paul Piao (Inactive) added a comment - PASSED Manual Testing following the steps in the description. Reproduced on: Tomcat 7.0 + MySQL 5. Portal 6.1.10 EE GA1. I can see the attachment error "activitiesescapecharacters.PNG". Activities Portlet not display "<script>alert(document.domain)</script>". Fixed on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 6a924268fafee0af22f9b81a85dcadce8730965b. Tomcat 7.0 + MySQL 5. Portal 6.1.x CE GIT ID: 31508f41a8a062b6f9aeb87b5b62965e53f4f36f. Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: bd0ac55267f6511e477cdd37d797a10417a48f3e. Activities Portlet display "<script>alert(document.domain)</script>".
          Hide
          Michael Saechang added a comment -

          Thank you Paul for testing. Closing as 'Fixed'.

          Show
          Michael Saechang added a comment - Thank you Paul for testing. Closing as 'Fixed'.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 43 weeks, 5 days ago

                Development

                  Structure Helper Panel