掲示板

  1. ホーム
  2. Development
  3. How to Prevent Javascript Injection Vulnerability In LIferay 6 ?

How to Prevent Javascript Injection Vulnerability In LIferay 6 ?

thumbnail
12年前 に Sagar A Vyas によって更新されました。

How to Prevent Javascript Injection Vulnerability In LIferay 6 ?

Liferay Master 投稿: 679 参加年月日: 09/04/17 最新の投稿
Hi All,

I have Question related Javascript Injection Vulnerability in Liferay 6.

I dont know how to use it in LIferay.

I have one portlet which accept Title (Text) and Comment (Text Area) and our requirement is need to prevent Javascript Injection Vulnerability.

But big Question is How can achieve it ? What to do ?

Any pointer would really help.

Just FYI i have gone through below link but dont get much information.

http://issues.liferay.com/browse/LPS-5545
http://www.fermasoft.com/Blog/Liferay-523-javascript-injection-vulnerability


Thanks,
Sagar Vyas
thumbnail
12年前 に Sandeep Nair によって更新されました。

RE: How to Prevent Javascript Injection Vulnerability In LIferay 6 ? (回答)

Liferay Legend 投稿: 1744 参加年月日: 08/11/06 最新の投稿
Hi Sagar,

There are two ways.

1) To create a Servlet filter and check for request parameters and see if there is any javascript using some regex pattern

2) To do it in JSP by using HtmlUtil.escape()

Regards,
Sandeep
thumbnail
12年前 に MANOVINAYAK AYYAPPAN によって更新されました。

RE: How to Prevent Javascript Injection Vulnerability In LIferay 6 ?

Regular Member 投稿: 131 参加年月日: 11/06/13 最新の投稿
Hi Sagar,

I believe XSS attack detection and prevention mechanism can be implemented at the Apache Level, instead of writing code to prevent XSS attacks.

I have less information to share with you at this point, but you could look into Apache docs for such configuration. This has been implemented in my project.

Regards,
Mano
thumbnail
12年前 に Sagar A Vyas によって更新されました。

RE: How to Prevent Javascript Injection Vulnerability In LIferay 6 ?

Liferay Master 投稿: 679 参加年月日: 09/04/17 最新の投稿
Thanks Sandeep (Sandy ) and Manovinayak for Quick replly.

It really help.

I will try with escape function first cause i guess it should work as I have seen in HtmlImpl.java.


for (int i = 0; i < text.length(); i++) {
char c = text.charAt(i);

switch (c) {
case '<':
sb.append("&lt;");

break;

case '>':
sb.append("&gt;");

break;

case '&':
sb.append("&amp;");

break;.......



Thanks,
Sagar Vyas
thumbnail
12年前 に Ravi Kumar Gupta によって更新されました。

RE: How to Prevent Javascript Injection Vulnerability In LIferay 6 ?

Liferay Legend 投稿: 1302 参加年月日: 09/06/24 最新の投稿
This link should help as Manovinayak mentioned for apache level detection and protection.. http://www.techjournal.info/2009/10/htaccess-protection-for-oscommerce-or.html
thumbnail
12年前 に Sandeep Nair によって更新されました。

RE: How to Prevent Javascript Injection Vulnerability In LIferay 6 ?

Liferay Legend 投稿: 1744 参加年月日: 08/11/06 最新の投稿
Hi,

I had this doubt about apache, but after seeing what Ravi has sent it seems that i may be correct. At apache level, it seems one can only restrict XSS if they are in Query string. If parameters and sent using POST i dont see a way through Apache to handle the same

I am really interested if there is a way for that as well through Apache.

Regards,
Sandeep
thumbnail
12年前 に Sagar A Vyas によって更新されました。

RE: How to Prevent Javascript Injection Vulnerability In LIferay 6 ? (回答)

Liferay Master 投稿: 679 参加年月日: 09/04/17 最新の投稿
Thanks Ravi.

I have resolved from by putting below line at server side in my controller classs.


String title = HtmlUtil.escape(ParamUtil.getString(portletRequest, "title"));
String comments = HtmlUtil.escape(ParamUtil.getString(portletRequest, "comments"));


Right now it is working as per my expectation.

Will there any problem if i implement this solution ?

Thanks,
Sagar Vyas
thumbnail
12年前 に Sandeep Nair によって更新されました。

RE: How to Prevent Javascript Injection Vulnerability In LIferay 6 ? (回答)

Liferay Legend 投稿: 1744 参加年月日: 08/11/06 最新の投稿
It should be fine Sagar. Also if you use any of AUI or Liferay UI components, this thing is automatically handled for you for displaying such parameters like text box or textfield.

Regards,
Sandeep
thumbnail
12年前 に Ravi Kumar Gupta によって更新されました。

RE: How to Prevent Javascript Injection Vulnerability In LIferay 6 ?

Liferay Legend 投稿: 1302 参加年月日: 09/06/24 最新の投稿
You are right Sandeep, I could not find anything significant to control xss by post method using Apache htaccess... emoticon

May be someone who has actually faced this might be able to help.. emoticon