Forums

Home » Liferay Portal » English » 6. Portal Framework

Cross site scriptting in 6.1.0 navigation.vm	Shiva Iyer	February 28, 2013 2:41 PM
RE: Cross site scriptting in 6.1.0 navigation.vm	Hitoshi Ozawa	February 28, 2013 4:17 PM
RE: Cross site scriptting in 6.1.0 navigation.vm	Shiva Iyer	March 1, 2013 10:43 AM

Cross site scriptting in 6.1.0 navigation.vm

February 28, 2013 2:41 PM

Answer

Shiva Iyer

Rank: New Member

Posts: 2

Join Date: February 28, 2013

Recent Posts

Hello,

For my project we are using Liferay 6.1.0 and we have created our custom theme. Security team ran a check and they found cross scripting in navigation.vm file.

In navigation.vm we have below code

<a href="$nav_item.getURL()" $nav_item.getTarget()><span>$nav_item.icon() $nav_item.getName()</span></a>

The Security tool was able to modify the above href URL as below ...

<a href="http://<script>alert(document.domain)</script>/...

Can anyone please help me out how to solve this issue.

Regards,
Shiva

Sign in to vote.

Flag

RE: Cross site scriptting in 6.1.0 navigation.vm

February 28, 2013 4:17 PM

Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 8000

Join Date: March 23, 2010