AntiSamy Portlet Removes HTML Target Attributes

The AntiSamy portlet is meant to prevent XSS type attacks. One side effect however is that if an HTML target is used, then the portlet will remove it upon publishing the content.

Steps to Reproduce

  1. Create Web Content
  2. Embed a link with a target of _blank

    For example:link2

  3. Publish the content.
  4. View the content in a web content display portlet, and verify that it opens a new window/tab.
  5. Download and deploy AntiSamy from Liferay Marketplace.
  6. Repeat steps 1-3.
  7. You'll now see that the content opens in the same window instead of a new window/tab.
  8. Edit web content; click on Source and you'll see that the target has been removed.
  9. Re-add the target and Publish.
  10. Go back to Edit the web content; click on Source and you'll see that target has been removed once again.

Resolution

This behavior is intentional. The Liferay platform uses AntiSamy's default configuration XML, the sanitizer-configuration.xml, which by default scrubs the target attribute because it could possibly expose a XSS risk.

However, you may configure the AntiSamy's configuration file to allow the target attribute to work.
An example of configuring the xml file that may work is described here: XSS Filter issue with the target attribute of the a tag.

As this would be a customization, please keep a backup of the original AntiSamy portlet, or extend it if possible.

Additional Information

Please refer to OWASP's guides on how to configure AntiSamy:

¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0