留言板

  1. 主页
  2. Development
  3. XSS or cross site scripting vulnerability

XSS or cross site scripting vulnerability

thumbnail
Vipin Kumar,修改在10 年前。

XSS or cross site scripting vulnerability

New Member 帖子: 15 加入日期: 12-6-5 最近的帖子
Hi,

Can anybody help me out about
how to resolve XSS or cross site scripting vulnerability in web content display of liferay version 6.0.6

-Regards
Vipin
thumbnail
James Falkner,修改在10 年前。

RE: XSS or cross site scripting vulnerability

Liferay Legend 帖子: 1399 加入日期: 10-9-17 最近的帖子
Vipin Kumar:
Hi,

Can anybody help me out about
how to resolve XSS or cross site scripting vulnerability in web content display of liferay version 6.0.6

-Regards
Vipin


Hey Vipin, welcome to the community! Typically the Community Security Team will issue patches for XSS issues, but the team only began doing this for the 6.1 and later versions.

The good news is that fixes for XSS issues are usually easy, and involves changing a JSP to include the use of the HtmlUtil.escape() method around the offending code (e.g. like this). If you can describe the exact XSS issue you are seeing, someone (possibly me) can direct you to the right file to patch.

You should also consider upgrading to a newer release (6.2 is the latest), where many of these kinds of issues have already been fixed.
thumbnail
Vipin Kumar,修改在10 年前。

RE: XSS or cross site scripting vulnerability

New Member 帖子: 15 加入日期: 12-6-5 最近的帖子
Thanks James,

I am facing XSS issue in web content dispaly (WCD) with LF version 6.0.6

Issue: whenever I try to edit WCD and paste the iframe code for xss attack like this: <IFRAME SRC="javascript:alert('XSS');"></IFRAME>

then it will prompt a alert box to the respective page where i have added iframe code screens shot attached for reference

I want to block that kind of xss attack ..

Would you help me which file i need to change for this

附件:

thumbnail
Vipin Kumar,修改在10 年前。

RE: XSS or cross site scripting vulnerability

New Member 帖子: 15 加入日期: 12-6-5 最近的帖子
Thanks James,

I am facing XSS issue in web content dispaly (WCD) with LF version 6.0.6

Issue: whenever I try to edit WCD and paste the iframe code for xss attack like this: <IFRAME SRC="javascript:alert('XSS');"></IFRAME>

then it will prompt a alert box to the respective page where i have added iframe code

I want to block that kind of xss attack ..

Would you help me which file i need to change for this
thumbnail
Olaf Kock,修改在10 年前。

RE: XSS or cross site scripting vulnerability

Liferay Legend 帖子: 6403 加入日期: 08-9-23 最近的帖子
Please install the antisamy plugin. That will do the trick
thumbnail
Vipin Kumar,修改在10 年前。

RE: XSS or cross site scripting vulnerability

New Member 帖子: 15 加入日期: 12-6-5 最近的帖子
Thanks Olaf Kock,

I have tried to install the antisamy plugin but its available only for LF 6.1 or above ,

Is there any thing for LF 6.0.6 that will solve my problem ?
thumbnail
Vipin Kumar,修改在10 年前。

RE: XSS or cross site scripting vulnerability

New Member 帖子: 15 加入日期: 12-6-5 最近的帖子
Olaf Kock:
Please install the antisamy plugin. That will do the trick



antisamy plugin worked for LF 6.1 or above ,

Is there any thing for LF 6.0.6 that will solve my problem ?
thumbnail
Olaf Kock,修改在10 年前。

RE: XSS or cross site scripting vulnerability

Liferay Legend 帖子: 6403 加入日期: 08-9-23 最近的帖子
Vipin Kumar:
Is there any thing for LF 6.0.6 that will solve my problem ?


As 6.0.6 is no longer updated (for quite a while now) you should update and solve the problem that way. In fact, I can barely remember the download location for CE plugins at that time - or if the update repository is available any more. However, I found http://svn.liferay.com/repos/public/plugins/branches/6.0.6/hooks/antisamy-hook/ (username: "guest", password empty) which seems to be matching - you might want to try if you're lucky with this version (drawback: need to compile for yourself)
thumbnail
Vipin Kumar,修改在10 年前。

RE: XSS or cross site scripting vulnerability

New Member 帖子: 15 加入日期: 12-6-5 最近的帖子
I have tried the above antisamy-hook and successfully complied that but

This issue is not resolved in LF 6.0.6 even after trying antysamy-hook

emoticon
thumbnail
sushil patidar,修改在10 年前。

RE: XSS or cross site scripting vulnerability

Expert 帖子: 467 加入日期: 11-10-31 最近的帖子
Hi,
You can achieve it using following steps.
1) Create this web content using structure/templates.
2) In the template escape this line as follows.

        <iframe src="$htmlUtil.escapeURL(url)"></iframe>
thumbnail
Vipin Kumar,修改在10 年前。

RE: XSS or cross site scripting vulnerability

New Member 帖子: 15 加入日期: 12-6-5 最近的帖子
Thanks Sushil,


As per the step 1: As per the requirement I can not create web content using structure/ template ; thing is whenever we create/edit web content and try to paste iframe code for xss attack then on publish that iframe code should not execute..

As per the step 2: which file i need to change for adding this
code
<iframe src="$htmlUtil.escapeURL(url)"></iframe>