1. Home
  2. Portal
  3. RE: AntiSamy Liferay 7.0

RE: AntiSamy Liferay 7.0

Iñigo Boyano, modified 5 Years ago.
AntiSamy Liferay 7.0
Junior Member Posts: 96 Join Date: 2/4/14 Recent Posts
Hi, I have a security vulnerability about cross site scripting (XSS stored) in the liferay forum portlet (com_liferay_message_boards_web_portlet_MBPortlet).

I've been searching a solution in the web and i've fount the following link in liferay documentation about antiSamy.
https://portal.liferay.dev/docs/7-0/deploy/-/knowledge_base/d/antisamy

I've configured the antiSamy like link said in order to cannot put script tags in the forums fields:
  • Whitelist = *
  • Blacklist = com.liferay.message.boards.*
Besides, i've checked the sanitizer-configuration.xml file and the script tag is inside with the "remove" action.

Can I avoid the user use script tags in the creation of new forum thread or new forum category?

The test i've made is tu put <script>alert("xss")</script> in category name and when i open this category, the alert show up.

Kind regards,

 Íñigo
thumbnail
Tomas Polesovsky, modified 5 Years ago.
RE: AntiSamy Liferay 7.0
Liferay Master Posts: 677 Join Date: 2/13/09 Recent Posts
Hi,
I couldn't reproduce it on 7.0 GA3. Maybe it's fixed? 
Btw. 7.0 is very outdated community version, I strongly recommend to upgrade, there were more serious issues than just XSS, look at https://portal.liferay.dev/learn/security/known-vulnerabilities
Sincerely,
-- tom +
Iñigo Boyano, modified 5 Years ago.
RE: AntiSamy Liferay 7.0
Junior Member Posts: 96 Join Date: 2/4/14 Recent Posts
Sorry Tomas,
I wasn't precise about the version i'm using, is not community, is DXP.
Particulary, is the next version:
  • Liferay 7 DXP, build number: 7010
  • FixPaxk: 88-7010.
thumbnail
Tomas Polesovsky, modified 5 Years ago.
RE: AntiSamy Liferay 7.0
Liferay Master Posts: 677 Join Date: 2/13/09 Recent Posts
Ah, ok. Have you tried to contact the support? They should help you better, they know your environment and have the bandwith to help you. Thanks!
Iñigo Boyano, modified 5 Years ago.
RE: AntiSamy Liferay 7.0
Junior Member Posts: 96 Join Date: 2/4/14 Recent Posts
Hi,

I've found that this problem occurs only wiht my custom theme.

If I set the classic theme of liferay or other custom theme develop by me, the antisamy works properly.

Anyone has any idea of what can have my theme for what the antisamy is not working??

Kind regards,

Iñigo
Iñigo Boyano, modified 5 Years ago.
RE: AntiSamy Liferay 7.0
Junior Member Posts: 96 Join Date: 2/4/14 Recent Posts
Hi, 
Finally, the theme was right but the problems was in our ADT to print the breadcrumb. I saw that in the breadcrumb's ADT of liferay, the title was escaped manually and in ours ADT i didn´t do it.

Using the htmlUtil.escape() method when I print the breadcrumbs title  , the problem was solved.Now, I have the same vulnerability in our web content custom templates. I thougth that the antisamy property should do this task, but I tried several configurations and none works like i wish.

Have I to escape manually all the custom fileds in all of my custom templates with the method htmlUtil or there is any configuration to escape the values of the fields of my custom templates?

Kind regards,

Iñigo