Issue
-
Web Content Editing
If a script is added to the content field and published, the script is executed when the article is displayed. Accessing the page triggers an alert each time. Allowing such content could assist the creator to perform an XSS attack.
Environment
- DXP 7.0 ~ DXP 7.4
Resolution
-
This is the expected behavior
-
Admins have the option to whitelist and blacklist content that should be sanitized.
In this case we need to enable Antisamy on com.liferay.journal.model.JournalArticle
[DXP 7.4] Go to: System Settings > Security Tools > Antisamy and remove com.liferay.journal.model.JournalArticle from the whitelist field.
[DXP 7.0] Go to: System Settings > Foundation > AntiSamy Sanitizer and remove com.liferay.journal.model.JournalArticle from the whitelist field.
After republishing the web content, the alert window should no longer appear.
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión