Issue
-
Particular variables or special characters, like "@" and "$," are present in the URLs that the security layer blocks. Some security rules do not allow special characters like "@" and "$" in the URLs used when downloading the Liferay default JS files.
Environment
- Liferay DXP [all version]
Resolution
-
Liferay has support in place to prevent XSS attacks and is continually working on improving the product to avoid triggering firewall filters.
- To prevent Cross Site Scripting (XSS), user-submitted values are escaped on output. To support integration features, Liferay DXP doesn’t encode input. Data is stored in its original form as submitted by the user. Liferay DXP includes built-in protection against CSRF attacks, Local File Inclusion, Open Redirects, Uploading and serving files of dangerous types, Content Sniffing, Clickjacking, Path Traversal, and many other common attacks. It can be seen here: Introduction-to-Securing-Liferay-DXP
- Everyone might have their own rules, it becomes impossible to predict specific URLs or characters, therefore, users need to adjust their WAF to allow Liferay-specific, non-malicious requests through.
- Whereas implementing rules in WAF for XSS is unnecessary and would break Liferay installation, we recommend not doing it. On the other hand, changing our link encoding may break the existing firewall configurations of other customers.
- Unfortunately, we do not currently have official documentation to assist with these types of configurations, especially given that there are multiple WAF providers, and we would be unable to address that.
- As a result, what the consumer can do is tune their firewall rules, or they can refer to the portal-ext.properties file of their particular DXP update, which contains keywords or locales that will give them an idea of which characters to allow in their environment.
- They may also check with the specific Liferay URLs to see if they can whitelist them in their environment to expedite this process on their end.
Additional Information