Foren

Home » Liferay Portal » English » 3. Development

Kombinierte Ansicht Flache Ansicht Baumansicht
Threads [ Zurück | Nächste ]
toggle
Cee Paxton
XSS protection in Liferay 6.1 GA1
20. Januar 2013 10:21
Antwort

Cee Paxton

Rang: New Member

Nachrichten: 3

Eintrittsdatum: 20. Januar 2013

Neue Beiträge

In prior version of Liferay, XSS protection was enabled by setting the following entry in the portal-ext.properties:

xss.allow=false

In 6.1, it looks like this has been removed as a overriden property in portal-ext. How is it toggled on and off in 6.1? Is it on by default?
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
20. Januar 2013 13:07
Antwort

Hitoshi Ozawa

Rang: Liferay Legend

Nachrichten: 7949

Eintrittsdatum: 23. März 2010

Neue Beiträge

I think you'll right. The last comment in the following issue clearly states it has been removed:

http://issues.liferay.com/browse/LPS-13246
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
20. Januar 2013 13:12
Antwort

Cee Paxton

Rang: New Member

Nachrichten: 3

Eintrittsdatum: 20. Januar 2013

Neue Beiträge

Even if that particular property has been removed., do you happen to know how to turn XSS on in 6.1?

I assume that they only removed the property and not XSS protection all together.
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
20. Januar 2013 13:53
Antwort

Jelmer Kuperus

Rang: Liferay Legend

Nachrichten: 1192

Eintrittsdatum: 10. März 2010

Neue Beiträge

why would you want that ?

that property might just as well have been called

hackme=true
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
20. Januar 2013 14:09
Antwort

Cee Paxton

Rang: New Member

Nachrichten: 3

Eintrittsdatum: 20. Januar 2013

Neue Beiträge

The question is

It doesn't appear to be on by default. How is it turned on in 6.1z
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
20. Januar 2013 23:08
Antwort

Jelmer Kuperus

Rang: Liferay Legend

Nachrichten: 1192

Eintrittsdatum: 10. März 2010

Neue Beiträge

You don't because the very notion of having such a property is retarded

Now why do you think you need to enable this property.
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
21. Januar 2013 03:22
Antwort

Hitoshi Ozawa

Rang: Liferay Legend

Nachrichten: 7949

Eintrittsdatum: 23. März 2010

Neue Beiträge

As is written in the issue, XSS protection should be enable by default. If it's not, can you provide us with a test case?
Also, there have been some security patches in 6.1.0GA1. Please check if XSS protection is enabled in liferay 6.1.1 GA2.

Participate in the State of Liferay Community 2017. Help the community and even win some prizes!