Issue
- We can put Javascript code in a fragment's HTML section where the code can be executed, when the fragment is opened, like
<img src=x onerror="alert(document.cookie)"> - Can that be a vulnerability to Cross Site Scripting (XSS)?
Environment
- Liferay DXP 7.3+
Resolution
- This is the intended behavior, as having scripts in a fragment HTML is a valid use case.
- The HTML fragment does not provide any out-of-the-box sanitization, since we expect users to allow only advanced roles to use it, and they can restrict its access by configuring the Master page to not allow its usage. Any fragment admin can write any kind of Javascript in the fragment’s JS field and these scripts are not injected by malicious parties, but by admins to provide functionality to their site
- Nevertheless, we provide:
- The possibility to escape fragment text values, explained here: Escaping Fragment Configuration Text Values (I also found a related article: Can we prevent editors from injecting executable code in Web Content fields?)
- SanitizerUtil, for users to implement their own sanitization rules.
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In