[LPS-99785] Javascript executes in fragment configuration type text - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: Master
Fix Version/s: 7.2.10 DXP FP2, 7.2.10.1 DXP SP1
Component/s: Fragment Administration
Labels:
- liferay-dxp-72-sp1
- liferay-fixpack-dxp-2-7210

Fix Priority:
4
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/77150

Description

Steps to Reproduce:

Enable Fragment Configurations
Add a Page Fragment Section with a configuration of type text
Create a new content page and add fragment
Change the configuration text to be "<script>alert('test')</script>"
Publish and view page

Expected Result:

Javascript is not executed

Actual Result:

Javascript is executed

Reproduced on:

Tomcat 9.0.17 + MySQL 5.7.
Portal Master GIT Commit: 5768543decf42efba87f23f0bc6a08f4152cd1a7

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Javascript.mp4
1.37 MB
14/Aug/19 11:45 AM

Issue Links

Discovered while testing

LPS-98913 Manual Testing

Closed

Testing discovered

LPS-97192 As a web developer I can add a field of type text to my fragment configuration

Closed

Sub-Tasks

1.

Document the alternatives to escape text values

Closed

Cody Hoag (Inactive)

Activity

People

Assignee:: Brooke Dalton

Reporter:: Brooke Dalton

Participants of an Issue:: Brooke Dalton, Cody Hoag, Victor Galan

Recent user:: Kiyoshi Lee

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 14/Aug/19 11:45 AM

Updated:: 21/Oct/19 2:09 PM

Resolved:: 17/Sep/19 12:40 PM

Days since last comment:: 3 years, 26 weeks, 5 days ago

Packages

Version	Package
7.2.10 DXP FP2
7.2.10.1 DXP SP1