Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Vikas V
Preventing XSS in Sign-in portlet
August 5, 2013 3:06 AM
Answer

Vikas V

Rank: Junior Member

Posts: 83

Join Date: September 28, 2011

Recent Posts

Below screen shot depicts the URL that one gets when Sign-in portlet is invoked. It contains details like p_p_id, lifecycle, state , mode etc.

These are vulnerable for XSS. How can one avoid these details in the URL? Writing friendly URLs for custom portlets is one option for custom portlets. But, this is sign-in portlet of liferay.

Version - Liferay 6.0 CE.
Attachment

Attachments: rsz_signin.jpg (14.7k)
Tomas Polesovsky
RE: Preventing XSS in Sign-in portlet
August 7, 2013 6:53 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 643

Join Date: February 13, 2009

Recent Posts

Hi,

The parameters are required and it can't be fixed by friendly URL. The solution should be to fix the XSS problems, for example using Hook to overwrite the JSP and escape the output using http://www.liferay.com/community/wiki/-/wiki/Main/Escaping.

Can you please verify that the issues exist in newer versions?

Thanks.
Vikas V
RE: Preventing XSS in Sign-in portlet
August 7, 2013 10:28 PM
Answer

Vikas V

Rank: Junior Member

Posts: 83

Join Date: September 28, 2011

Recent Posts

Thanks Thomas..

Wiki link was very helpful. Will check in newer versions.