Joe Dirt:
I found an issue with com.liferay.portal.servlet.taglib.portlet.RenderURLParamsTagUtil. Do you know where this Util get called?
well, let's see... (Apologies if it's too verbose, but I've decided to post my steps instead of the solution...)
com.liferay.portal.servlet.
taglib.portlet.
RenderURLParamsTagUtil looks like something from a taglib... let's doublecheck:
olaf@kurt:~/liferay$ grep -R -1 RenderURLParamsTagUtil portal
portal/portal-impl/src/com/liferay/portal/servlet/taglib/portlet/RenderURLParamsTagUtil.java-/**
portal/portal-impl/src/com/liferay/portal/servlet/taglib/portlet/RenderURLParamsTagUtil.java: * <a href="RenderURLParamsTagUtil.java.html"><b><i>View Source</i></b></a>
portal/portal-impl/src/com/liferay/portal/servlet/taglib/portlet/RenderURLParamsTagUtil.java- *
--
portal/portal-impl/src/com/liferay/portal/servlet/taglib/portlet/RenderURLParamsTagUtil.java- */
portal/portal-impl/src/com/liferay/portal/servlet/taglib/portlet/RenderURLParamsTagUtil.java:public class RenderURLParamsTagUtil {
portal/portal-impl/src/com/liferay/portal/servlet/taglib/portlet/RenderURLParamsTagUtil.java-
--
portal/util-taglib/src/com/liferay/taglib/portlet/RenderURLParamsTag.java- private static final String _TAG_CLASS =
portal/util-taglib/src/com/liferay/taglib/portlet/RenderURLParamsTag.java: "com.liferay.portal.servlet.taglib.portlet.RenderURLParamsTagUtil";
portal/util-taglib/src/com/liferay/taglib/portlet/RenderURLParamsTag.java-
...and of course RenderURLParamsTag can be found in
portal/util-taglib/src/META-INF/liferay-portlet-ext.tld- <name>renderURLParams</name>
portal/util-taglib/src/META-INF/liferay-portlet-ext.tld: <tag-class>com.liferay.taglib.portlet.RenderURLParamsTag</tag-class>
portal/util-taglib/src/META-INF/liferay-portlet-ext.tld- <body-content>JSP</body-content>
(other locations omitted)
So it's in the taglib liferay-portlet-ext.tld, which can be found here:
olaf@kurt:~/liferay$ grep -R -1 liferay-portlet-ext.tld portal plugins
portal/portal-web/docroot/WEB-INF/web.xml- <taglib-uri>http://liferay.com/tld/portlet</taglib-uri>
portal/portal-web/docroot/WEB-INF/web.xml: <taglib-location>/WEB-INF/tld/liferay-portlet-ext.tld</taglib-location>
portal/portal-web/docroot/WEB-INF/web.xml-
...
and if we take a look at portal/util-taglib/src/com/liferay/taglib/portlet/RenderURLParamsTag.java, particularly the use of _TAG_CLASS, we'll see that there's some classloader and reflection magic to call doEndTag on the class in question... phew.
Now that this xss issue has been publicly discussed (I usually prefer to discuss this class of issues in private), you probably mean that
key needs to be HTML-escaped too, right? Have I missed more?
For a fix, please refer to the (just created)
LPS-5357
