Issue
- We can put a Javascript code in the Button fragment's URL field, so it can be executed when we click on the button, like
javascript:alert(document.cookie) - Can that be a vulnerability to Cross Site Scripting (XSS)?
Environment
- Liferay DXP 7.3+
Resolution
- We allow adding scripts to the button fragment, so the admin (or editors) handling the URL can use that button to trigger Javascript.
- Fragments on pages must have access to the available HTML features that build up the page, like in this case, where an
<a>tag can include javascript in its href attribute.
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In