Ok, I was apparently wrong about liferay having the XSS issue fixed, i'm posting this in hopes that someone will fix this or tell me how to fix this for my own liferay implementation...Liferay's XSS vulnerability
Thanks

Awesome, thanks a lot for the help, that seems to be exactly what I needed.

Hey, you ended up helping me with this issue and I ended up running into another that's kind of causing an emergency...Is there any way you could check this one out and see if you can notify the right person about it? It would be awesome if we could figure this out sometime soon...
Thanks in advance,
Brett

I have run into an unusual problem which may actually be an Apache http server problem and not a Liferay problem. I have my Tomcat server running behind an Apache http server. I applied the patches suggested here and if I send the URL

http://XXX.XXX.XXX.XXX/web/13048/1/-/message_boards/category/20180/%22%3E%3Cscript%3Ealert(6814)%3C/script%3E

to port 8080 (directly to my tomcat), the alert doesn't appear. However, if I send the above URL to port 80 (my Apache http server), I get an alert box.

I've manually put in the ;-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false;-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false

to ensure they are set to false, but I still get the same behavior. Has anyone else run into this?

Hi Minhchau,

I am using Liferay 4.3.0 and I saw /portal-web/html/common/themes/top_js.jspf file but I haven't seen the cold that you are suggesting to modify.
Actually I want to encode each URL So I can avoid XSS. If I encode URL then people can not use p_p_state & p_p_mode to do cross site scripting using URL.

What should I do in this condition?

Thanks.

regards,
Vikas Khengare