Issue
-
Web Content Editing
If a script is added to the content field and published, the script is executed when the article is displayed. Accessing the page triggers an alert each time. Allowing such content could assist the creator to perform an XSS attack.
Environment
- DXP 7.0 ~ DXP 7.4
Resolution
-
This is the expected behavior
-
Admins have the option to whitelist and blacklist content that should be sanitized.
In this case we need to enable Antisamy on com.liferay.journal.model.JournalArticle
[DXP 7.4] Go to: System Settings > Security Tools > Antisamy and remove com.liferay.journal.model.JournalArticle from the whitelist field.
[DXP 7.0] Go to: System Settings > Foundation > AntiSamy Sanitizer and remove com.liferay.journal.model.JournalArticle from the whitelist field.
After republishing the web content, the alert window should no longer appear.