Foros de discusión
Cross Site Scripting
Sharana Basavaraj Ballari, modificado hace 8 años.
Cross Site Scripting
Regular Member Mensajes: 139 Fecha de incorporación: 10/09/07 Mensajes recientes
Hey guys,
I ran into few issues when the website we built on Liferay has been penetration tested. There were two types of XSS issues we are facing at the moment.
1. Injecting malicious java-script in the URL and trying to execute it.
2. In control panel when I create a site by providing name with a bit of java-script code, it is getting executed which is a vulnerability.
My Question does Liferay have out of the box XSS protection if someone is trying to inject bad code from the URL ?
Liferay Portal 6.2.1 GA2 CE
MySql 5.5
Java 7u56
Many thanks,
/Sharan
I ran into few issues when the website we built on Liferay has been penetration tested. There were two types of XSS issues we are facing at the moment.
1. Injecting malicious java-script in the URL and trying to execute it.
2. In control panel when I create a site by providing name with a bit of java-script code, it is getting executed which is a vulnerability.
My Question does Liferay have out of the box XSS protection if someone is trying to inject bad code from the URL ?
Liferay Portal 6.2.1 GA2 CE
MySql 5.5
Java 7u56
Many thanks,
/Sharan
James Falkner, modificado hace 8 años.
RE: Cross Site Scripting
Liferay Legend Mensajes: 1399 Fecha de incorporación: 17/09/10 Mensajes recientesSharana Basavaraj Ballari:
Hey guys,
I ran into few issues when the website we built on Liferay has been penetration tested. There were two types of XSS issues we are facing at the moment.
1. Injecting malicious java-script in the URL and trying to execute it.
2. In control panel when I create a site by providing name with a bit of java-script code, it is getting executed which is a vulnerability.
My Question does Liferay have out of the box XSS protection if someone is trying to inject bad code from the URL ?
Liferay Portal 6.2.1 GA2 CE
MySql 5.5
Java 7u56
Many thanks,
/Sharan
This was fixed in 6.2 CE GA4 - See LPS-42754. You should upgrade to the latest CE GA4.
Sharana Basavaraj Ballari, modificado hace 8 años.
RE: Cross Site Scripting
Regular Member Mensajes: 139 Fecha de incorporación: 10/09/07 Mensajes recientesJames Falkner:
Sharana Basavaraj Ballari:Hey guys,
I ran into few issues when the website we built on Liferay has been penetration tested. There were two types of XSS issues we are facing at the moment.
1. Injecting malicious java-script in the URL and trying to execute it.
2. In control panel when I create a site by providing name with a bit of java-script code, it is getting executed which is a vulnerability.
My Question does Liferay have out of the box XSS protection if someone is trying to inject bad code from the URL ?
Liferay Portal 6.2.1 GA2 CE
MySql 5.5
Java 7u56
Many thanks,
/Sharan
This was fixed in 6.2 CE GA4 - See LPS-42754. You should upgrade to the latest CE GA4.
Hey James,
Thank you. I understand that. For the URL injection of parameters, I am planning to implement a Filter Hook which implements Antisamy and clean the parameters and the process the request. Do you think this is the right way to do it? Or Liferay has already in place to handle this situation?
Please guide us.
Many thanks,
/Sharan
Ranjith Narahari, modificado hace 7 años.
RE: Cross Site Scripting
New Member Mensajes: 21 Fecha de incorporación: 23/01/13 Mensajes recientes
Hi Sharana,
I am facing the same XSS issues. Have you find any solution for that. Could you please share the how you fixed it.
Thanks & Regards,
Ranjith Narahari
I am facing the same XSS issues. Have you find any solution for that. Could you please share the how you fixed it.
Thanks & Regards,
Ranjith Narahari
Olaf Kock, modificado hace 7 años.
RE: Cross Site Scripting
Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes
James found a solution and posted it above: Just upgrade to the latest available version. Done. Relax & Party