Does having a script in a button fragment qualify as a potential XSS vulnerability?
István Gergely-Tárnoki
更新
Issue
We can put a Javascript code in the Button fragment's URL field, so it can be executed when we click on the button, like javascript:alert(document.cookie)
Can that be a vulnerability to Cross Site Scripting (XSS)?
Environment
Liferay DXP 7.3+
Resolution
We allow adding scripts to the button fragment, so the admin (or editors) handling the URL can use that button to trigger Javascript.
Fragments on pages must have access to the available HTML features that build up the page, like in this case, where an <a> tag can include javascript in its href attribute.
