Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Joby KJ
Validation for Virtual Host
August 18, 2012 12:02 AM
Answer

Joby KJ

Rank: Junior Member

Posts: 43

Join Date: July 13, 2012

Recent Posts

Hi,
I have to add validation for text fields (Public Virtual Host , Private Virtual Host ) in Virtual Host section (Manage -> Settings ) . Currently we can add anything in these input fields . For example if we try to add some java scrips also , its being saved. The security team saying this a critical issue. How can I add some validation for these fields. Please find the screen shot.

Thank You
Joby
Attachment

Attachments: liferay_settings.JPG (53.0k)
Mika Koivisto
RE: Validation for Virtual Host
August 20, 2012 5:46 PM
Answer

Mika Koivisto

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1499

Join Date: August 7, 2006

Recent Posts

Have you checked if that is still the case with the latest Liferay version? If it is you should open a security ticket for it.
David H Nebinger
RE: Validation for Virtual Host
August 20, 2012 5:59 PM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 6538

Join Date: September 1, 2006

Recent Posts

Joby KJ:
I have to add validation for text fields (Public Virtual Host , Private Virtual Host ) in Virtual Host section (Manage -> Settings ) . Currently we can add anything in these input fields . For example if we try to add some java scrips also , its being saved. The security team saying this a critical issue.


I would argue that it is not a critical issue.

Only an administrator can get in and make these changes; normal joes cannot.

If you're letting your security team do vulnerability scans with an administrator's account, it's your own fault.
Amit Doshi
RE: Validation for Virtual Host
August 20, 2012 11:52 PM
Answer

Amit Doshi

Rank: Liferay Master

Posts: 543

Join Date: December 29, 2010

Recent Posts

Mika Koivisto:
Have you checked if that is still the case with the latest Liferay version? If it is you should open a security ticket for it.


I checked with latest version of liferay 6.1.10 and it's not issue on that. It is working fine.
Mika Koivisto
RE: Validation for Virtual Host
August 21, 2012 9:48 AM
Answer

Mika Koivisto

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1499

Join Date: August 7, 2006

Recent Posts

Good to hear. I know we've addressed a lot of potential XSS issues I just wasn't sure if this was one of them.
Mika Koivisto
RE: Validation for Virtual Host
August 21, 2012 9:49 AM
Answer

Mika Koivisto

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1499

Join Date: August 7, 2006

Recent Posts

Joby, what Liferay version are you using?
Joby KJ
RE: Validation for Virtual Host
August 22, 2012 12:55 AM
Answer

Joby KJ

Rank: Junior Member

Posts: 43

Join Date: July 13, 2012

Recent Posts

6.0.6
Joby KJ
RE: Validation for Virtual Host
September 25, 2012 7:41 AM
Answer

Joby KJ

Rank: Junior Member

Posts: 43

Join Date: July 13, 2012

Recent Posts

how can I fix it in liferay 6.0.6 . Please advice . Also Please let me know the corresponding files in Root.war.


Thanks
Joby
Mika Koivisto
RE: Validation for Virtual Host
September 25, 2012 12:25 PM
Answer

Mika Koivisto

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1499

Join Date: August 7, 2006

Recent Posts

Look at the latest code for the same jsp and see what changed. It's probably that we've added one of the HtmlUtil escape method calls to that field to escape it properly.
Joby KJ
RE: Validation for Virtual Host
September 25, 2012 10:53 PM
Answer

Joby KJ

Rank: Junior Member

Posts: 43

Join Date: July 13, 2012

Recent Posts

Please tell me the corresponding jsp file name with path in liferay 6.0.6 . I am not able to find the jsp file. Testing is doing third party. They have reported this issue.
Joby KJ
RE: Validation for Virtual Host
October 1, 2012 6:18 AM
Answer

Joby KJ

Rank: Junior Member

Posts: 43

Join Date: July 13, 2012

Recent Posts

Finally I got the jsp file name . It is ROOT.war/html/portlet/communities/edit_pages_settings.jsp.

For fixing the above problem , what I have to do ?