Hey All,
We had a security scan done on our app and it turns out that there are a lot of XSS issues caused by liferay inserting setting Liferay.currentURL within the source. Unfortunately I noticed that on this site it actually encodes that url before it inserts it into the source. Does anyone know how I can get these to encode?
Thanks

Ok, I was apparently wrong about liferay having the XSS issue fixed, i'm posting this in hopes that someone will fix this or tell me how to fix this for my own liferay implementation...Liferay's XSS vulnerability
Thanks

A JIRA ticket has been opened for this issue (LPS-2566), and a fix has been committed to trunk. If you wish to track its status (for example, to track when it's backported to the version of Liferay you are using), you may bookmark that URL.

To patch the issue yourself, in /portal-web/html/common/themes/top_js.jspf, you should see a line which reads:

Update that line to read:

Awesome, thanks a lot for the help, that seems to be exactly what I needed.

Thanks Minhchau!

Sam's been patching up all the XSS vulnerabilities. This one must have got missed.

Hey, you ended up helping me with this issue and I ended up running into another that's kind of causing an emergency...Is there any way you could check this one out and see if you can notify the right person about it? It would be awesome if we could figure this out sometime soon...
Thanks in advance,
Brett

Hi,

I just saw that in svn the following line has been updated for the same LP 2566





I saw the code and it basically converts the characters to hex.

I just want to know what is the impact of this code and will it work in Liferay 5.1.2

Regards,
Sandeep

I have run into an unusual problem which may actually be an Apache http server problem and not a Liferay problem. I have my Tomcat server running behind an Apache http server. I applied the patches suggested here and if I send the URL

http://XXX.XXX.XXX.XXX/web/13048/1/-/message_boards/category/20180/%22%3E%3Cscript%3Ealert(6814)%3C/script%3E

to port 8080 (directly to my tomcat), the alert doesn't appear. However, if I send the above URL to port 80 (my Apache http server), I get an alert box.

I've manually put in the ;-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false;-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false

to ensure they are set to false, but I still get the same behavior. Has anyone else run into this?

In case someone else has run into this problem, I switched to using mod_proxy instead of mod_jk and it appears to work properly now.

Hi Minhchau,

I am using Liferay 4.3.0 and I saw /portal-web/html/common/themes/top_js.jspf file but I haven't seen the cold that you are suggesting to modify.
Actually I want to encode each URL So I can avoid XSS. If I encode URL then people can not use p_p_state & p_p_mode to do cross site scripting using URL.

What should I do in this condition?

Thanks.

regards,
Vikas Khengare