Issue
-
I am experiencing an XSS issue with the Asset Publisher. I create web content with a script. When they display it on an Asset Publisher Portlet, an Alert appears for the title.
Reproduction Steps:
1. Set up DXP 7.4
2. Go to Content & Data → Web Content and create basic web content with the following (copy the whole script with the inverted commas):
a. title: "><script>alert('title');</script><"b. content: "><script>alert('content');</script><"
c. description: "><script>alert('description');</script><"
3. Go to Site Builder → Pages → Create a content (blank) Page (or a widget page) and add an Asset Publisher portlet to it.
4. Configure the Asset Selection on the Portlet to either Dynamic or Manual and select the web content to display.
Checkpoint: You will notice that an alert popup appears for the title two times.
5. Publish the Page
Actual Result: An Alert popup appears 2 times for the title. Reload the page and the alert pops up. After logging out the alert does not appear.
I am attaching a video illustration tested with u81: XSSinAP.mp4
Expected Result: The alert should not appear.
Environment
- Liferay DXP 7.4
Resolution
- The issue is resolved by LPS-188401. Kindly upgrade to the latest update or request a hotfix.