Radio Liferay Episode 22: Samuel Kong on Security

  Yes, I know. I didn't keep my previous promise to quickly follow up with the next episode. Thus, I'm not promising again, only revealing that I'm planning to be quicker in future.

This is another episode recorded at the previous Liferay Retreat. I sat together with Samuel Kong, GM of the chinese office and member of Liferay's security team.

As I've been carrying this recording around for quite some while, note that there have been some changes during the last year. First and foremost, we have a new community security team, which was not around at the time of the recording. I'm planning to talk to someone from that team soon (consider yourself warned if you're on that team)

Some of the topics you'll find in this episode

  • How to file a security issue - thankfully he is consistent with what Cynthia and Michael have reported: go to, file your issue under the component "security", optionally with private visibility. If you've already done so, please try if your issue is reproducible in the latest available version - your issue might already have been reported and fixed.
  • OWASP (The Open Webapplication security project) site is a good resource for learning about security in Webapplications in general, independent of Liferay.
  • The three tools that Liferay has built-in, helping you to prevent security issues:
    • Redirects: Some Properties, configuring the list of domain names and IPs, that Liferay is allowed to redirect to
    • CSRF: Auth-Token
    • XSS: The various escape-methods in com.liferay.portal.kernel.util.HtmlUtil - There are so many because the correct escaping depends on the context for which one escapes some HTML-Text. Also, the AlloyUI Taglibs help a lot when you're displaying user-content in forms. And also: The "escapedModel" that you can get from ServiceBuilder.
    • Bonus: SqlInjection and its prevention through ServiceBuilder.
  • When to escape HTML text in order to be most flexible.
  • Sidenote: A call to extract and read the full A long, boring and interesting read. Oh, and the dtds for xml files

You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to the RSS feed, on itunes or with your podcatcher of choice - you'll find all the options on And if you want to get notified when the next episode is out, follow @RadioLiferay

And please remember to rate this podcast in your podcast directory of choice and provide feedback here on the episodes as well. Thank you.

download audio file

[...] The glorious glamorous days one has on the security team (consisting mostly of email, tickets, pullrequests) Different ways to make Liferay more secure Gathering feedback from community and... [...] Read More