Foros de discusión

  1. Inicio
  2. Development
  3. XSS on aui:tags?

XSS on aui:tags?

Gonzalo Junquera, modificado hace 8 años.

XSS on aui:tags?

New Member Mensajes: 5 Fecha de incorporación: 7/04/16 Mensajes recientes
Hi everyone!

I've been playing a bit with .jsp pages,with forms and aui:forms, trying to do XSS and once i've done this, i sanitized the malicious input.

My question is this:

Imagine i have this form,which function is to say hello to the user:


<aui:form name="<portlet:namespace/>fm" action="<%= sayHello=>">
      <aui:input name="name" value="<%=formName %>" />
//and submit and other things
</aui:form>


With this code,if i send <script>alert(1)</script>, it' ll appear,but won't execute the code because aui:input filters the output....if i use a "normal" form(without the aui tags) it will execute it, unless i use HTMLUtil.escape() or something.....

This is ok,but this behaviour doesn't happend with other tags like aui:select for example. Also, i've observed that the "search container" doesn't filter the output neither....


Is this OK?
thumbnail
Samuel Kong, modificado hace 8 años.

RE: XSS on aui:tags?

Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Hi Gonzalo

If you believe you have found a security issue, can you follow the reporting instructions for reporting a security issue at https://www.liferay.com/security. Also, it will be helpful if you can include more details in your report. Thanks.
Gonzalo Junquera, modificado hace 8 años.

RE: XSS on aui:tags?

New Member Mensajes: 5 Fecha de incorporación: 7/04/16 Mensajes recientes
Hi Samuel,
yes,maybe i should have done it that way, but i wasn't sure if it was a real vulnerability or just me misleading what is sanitized by default and what not emoticon

Thanks
thumbnail
David H Nebinger, modificado hace 8 años.

RE: XSS on aui:tags?

Liferay Legend Mensajes: 14916 Fecha de incorporación: 2/09/06 Mensajes recientes
Yes it's okay.

For a search, it can only display content that is already in the system. It's not taking your script and inserting it anywhere to run, and if the admins of the site store a doc that includes javascript that issues an alert, there's no reason the portal should block that from being rendered.

For the aui:select option, I don't know what you're trying to say there. A select is usually also selecting one of an accepted list of values, it's not like you can add your own that includes the script tag, but if site admin includes an option that when you click it issues an alert, again there's no reason for the portal to not let that happen.

The only thing that must happen is Liferay should not allow a malicious user to submit script that can execute for any user and it's tags do that. If, however, you use the native tags or some other javascript tag lib, you are specifically making a choice to take that data scrubbing activity over for yourself. Maybe you want to allow script uploads (i.e. you have some sort of live javascript testing site like many of those out there), or maybe you pick a library that you think is scrubbing data but, if it isn't, it's not Liferay's responsibility to take over that activity.
Gonzalo Junquera, modificado hace 8 años.

RE: XSS on aui:tags?

New Member Mensajes: 5 Fecha de incorporación: 7/04/16 Mensajes recientes
David H Nebinger:
Yes it's okay.

For a search, it can only display content that is already in the system. It's not taking your script and inserting it anywhere to run, and if the admins of the site store a doc that includes javascript that issues an alert, there's no reason the portal should block that from being rendered.

For the aui:select option, I don't know what you're trying to say there. A select is usually also selecting one of an accepted list of values, it's not like you can add your own that includes the script tag, but if site admin includes an option that when you click it issues an alert, again there's no reason for the portal to not let that happen.

The only thing that must happen is Liferay should not allow a malicious user to submit script that can execute for any user and it's tags do that. If, however, you use the native tags or some other javascript tag lib, you are specifically making a choice to take that data scrubbing activity over for yourself. Maybe you want to allow script uploads (i.e. you have some sort of live javascript testing site like many of those out there), or maybe you pick a library that you think is scrubbing data but, if it isn't, it's not Liferay's responsibility to take over that activity.


Well, you are right, but let me show you this case:

I take the code from Custom queries in Liferay so we have two entities: Authors and Posts.
  • We can add posts and authors
  • When we add a post,we have a select box to select the author(yes,this doesn't make sense,but it's just an example)
  • We don't filter user's input when they add a new author


My code is this

Showing the posts,with their title,content,and author:

<liferay-ui:search-container>
       <liferay-ui:search-container-row classname="com.example.Post" modelvar="post">
              <liferay-ui:search-container-column-text property="author.name" name="Author" />
              <liferay-ui:search-container-column-text property="title" />
              <liferay-ui:search-container-column-text property="content" />
      <liferay-ui:search-container-row />
<liferay-ui:search-iterator />
</liferay-ui:search-container-row></liferay-ui:search-container>


The form for add an author is a normal aui:form with aui: tags,where the only input is the new author's name.

I used Service Builder to do the persistence layer,but i'm not checking for malicious input.

So,here is the addPost form:

<aui:form name="portlet:namespace/>fp action=" <%="addPostURL" %>"&gt;
      <aui:fieldset>
             <aui:input name="title" />
             <aui:input name="content" />
             <aui:select name="authorId" />
             &lt;% for (Author author : authors ){%&gt;
                  <aui:option value="<%=author.getAuthorId()%>">&lt;%=author.getName() %&gt;</aui:option> 
             &lt;% } %&gt;
.......
      </aui:fieldset>
</aui:form>



So,in this case, if i add an author whose name is <script>alert(1)</script>, this will be one of my options in the select,and it will execute the Javascript.
Also,if i create a post with this "author",when i render all the post in the search container, the code executes again.


In the end,it's my own fault because i'm not validating user's input, but i'm asking this because i've observed that the aui:input tag sanitize the output at render time
thumbnail
Olaf Kock, modificado hace 8 años.

RE: XSS on aui:tags?

Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes
Gonzalo Junquera:
So,in this case, if i add an author whose name is <script>alert(1)</script>, this will be one of my options in the select,and it will execute the Javascript.
Also,if i create a post with this "author",when i render all the post in the search container, the code executes again.


The AUI tags deal with this - just not unconditionally in every case. You still have to make an educated guess when to use HTMLUtil.escape(), HTMLUtil.escapeAttribute() or any of the other numerous escape methods.

Some of the AUI tags offer an escapedModel="true" attribute, where you can be sure that you're working with escaped models only. Also note that it might be a difference if you access a field with value="<%=author.getName()%>" or with property="name" from a model context.

Gonzalo Junquera:
In the end,it's my own fault because i'm not validating user's input, but i'm asking this because i've observed that the aui:input tag sanitize the output at render time


Well, it's not so much about validating the input. One of my secret goals in life (that I'll probably never really follow through) is to write a book with the title <script>alert("You've been victim of XSS")</script>. And then see what breaks - it's a valid title, isn't it?