Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Shiva Iyer
Cross site scriptting in 6.1.0 navigation.vm
February 28, 2013 2:41 PM
Answer

Shiva Iyer

Rank: New Member

Posts: 2

Join Date: February 28, 2013

Recent Posts

Hello,

For my project we are using Liferay 6.1.0 and we have created our custom theme. Security team ran a check and they found cross scripting in navigation.vm file.

In navigation.vm we have below code

<a href="$nav_item.getURL()" $nav_item.getTarget()><span>$nav_item.icon() $nav_item.getName()</span></a>

The Security tool was able to modify the above href URL as below ...

<a href="http://<script>alert(document.domain)</script>/...

Can anyone please help me out how to solve this issue.

Regards,
Shiva
Hitoshi Ozawa
RE: Cross site scriptting in 6.1.0 navigation.vm
February 28, 2013 4:17 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

Go the community security page and get the security patch.

http://www.liferay.com/community/security-team/known-vulnerabilities
Shiva Iyer
RE: Cross site scriptting in 6.1.0 navigation.vm
March 1, 2013 10:43 AM
Answer

Shiva Iyer

Rank: New Member

Posts: 2

Join Date: February 28, 2013

Recent Posts

Hello Hitoshi,

Thanks for your valuable time to reply my post.

Regards,
Shiva