Issue
- We can put a Javascript code in the Button fragment's URL field, so it can be executed when we click on the button, like
javascript:alert(document.cookie) - Can that be a vulnerability to Cross Site Scripting (XSS)?
Environment
- Liferay DXP 7.3+
Resolution
- We allow adding scripts to the button fragment, so the admin (or editors) handling the URL can use that button to trigger Javascript.
-
Fragments on pages must have access to the available HTML features that build up the page, like in this case, where an
<a>tag can include javascript in its href attribute.
Conteúdo Excluesivo para Assinantes
Uma Subscrição do Liferay Enterprise fornece acesso a mais de 1.500 artigos que incluem práticas recomendadas, solução de problemas e outras soluções valiosas. Faça login para obter acesso completo.
Entrar