Does having a script in a button fragment qualify as a potential XSS vulnerability?


  • We can put a Javascript code in the Button fragment's URL field, so it can be executed when we click on the button, like javascript:alert(document.cookie)
  • Can that be a vulnerability to Cross Site Scripting (XSS)?


  • Liferay DXP 7.3+


  • We allow adding scripts to the button fragment, so the admin (or editors) handling the URL can use that button to trigger Javascript.
  • Fragments on pages must have access to the available HTML features that build up the page, like in this case, where an <a> tag can include javascript in its href attribute.
¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0