Hi Liferay.

I inserted a javascript-alert into the title of a blog. And it worked?
How is it possible to escape the html or javascript within a blogs title?

Is this a bug in Liferay 6 EE SP1?
How is it possible to fix this?

Best wishes,
Yves

Hi Yves,

If you have an EE account I suggest you to open ticket with your account to get a faster response.

If not, I would try to reproduce it in latest trunk and open a ticket in LPS project with the appropriate security fields. If you can contribute a solution, that would be great, otherwise our security team can look at the issue and find a solution for it. If it's deemed an security issue, it should be backported and resolved in the next EE release.

Hi Amos.

It seems to be a bug which we have introduced by hooking into the Blog-Portlet.
So for the first I try to test this in a plain installation.

Sorry, maybe i have been too fast.

Merci,
Yves