Does having a script in a fragment qualify as a potential XSS vulnerability?


  • We can put Javascript code in a fragment's HTML section where the code can be executed, when the fragment is opened, like <img src=x onerror="alert(document.cookie)">
  • Can that be a vulnerability to Cross Site Scripting (XSS)?


  • Liferay DXP 7.3+


  • This is the intended behavior, as having scripts in a fragment HTML is a valid use case.
  • The HTML fragment does not provide any out-of-the-box sanitization, since we expect users to allow only advanced roles to use it, and they can restrict its access by configuring the Master page to not allow its usage. Any fragment admin can write any kind of Javascript in the fragment’s JS field and these scripts are not injected by malicious parties, but by admins to provide functionality to their site
  • Nevertheless, we provide:
¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0