Issue
- We can put a Javascript code in the Button fragment's URL field, so it can be executed when we click on the button, like
javascript:alert(document.cookie) - Can that be a vulnerability to Cross Site Scripting (XSS)?
Environment
- Liferay DXP 7.3+
Resolution
- We allow adding scripts to the button fragment, so the admin (or editors) handling the URL can use that button to trigger Javascript.
-
Fragments on pages must have access to the available HTML features that build up the page, like in this case, where an
<a>tag can include javascript in its href attribute.
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión