AntiSamy Liferay 7.0AntiSamy Liferay 7.0https://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1182335192026-04-04T21:28:50Z2026-04-04T21:28:50ZRE: AntiSamy Liferay 7.0Iñigo Boyanohttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1184281112020-02-05T08:01:31Z2020-02-05T08:01:31ZHi, <br />Finally, the theme was right but the problems was in our ADT to print the breadcrumb. I saw that in the breadcrumb's ADT of liferay, the title was escaped manually and in ours ADT i didn´t do it. <br /><br />Using the htmlUtil.escape() method when I print the breadcrumbs title , the problem was solved.Now, I have the same vulnerability in our web content custom templates. I thougth that the antisamy property should do this task, but I tried several configurations and none works like i wish.<br /><br />Have I to escape manually all the custom fileds in all of my custom templates with the method htmlUtil or there is any configuration to escape the values of the fields of my custom templates?<br /><br />Kind regards,<br /><br />IñigoIñigo Boyano2020-02-05T08:01:31ZRE: AntiSamy Liferay 7.0Iñigo Boyanohttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1182842592020-01-16T09:00:09Z2020-01-16T09:00:09ZHi,<br /><br />I've found that this problem occurs only wiht my custom theme.<br /><br />If I set the classic theme of liferay or other custom theme develop by me, the antisamy works properly.<br /><br />Anyone has any idea of what can have my theme for what the antisamy is not working??<br /><br />Kind regards,<br /><br />IñigoIñigo Boyano2020-01-16T09:00:09ZRE: AntiSamy Liferay 7.0Tomáš Polešovskýhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1182450902020-01-10T09:14:10Z2020-01-10T09:14:10ZAh, ok. Have you tried to contact the support? They should help you better, they know your environment and have the bandwith to help you. Thanks!Tomáš Polešovský2020-01-10T09:14:10ZRE: AntiSamy Liferay 7.0Iñigo Boyanohttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1182349502020-01-09T11:17:13Z2020-01-09T11:17:13ZSorry Tomas,<br />I wasn't precise about the version i'm using, is not community, is DXP.<br />Particulary, is the next version:<br /><ul style="list-style: disc outside;"><li>Liferay 7 DXP, build number: 7010</li><li>FixPaxk: 88-7010.</li></ul>Iñigo Boyano2020-01-09T11:17:13ZRE: AntiSamy Liferay 7.0Tomáš Polešovskýhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1182345932020-01-09T10:50:05Z2020-01-09T10:50:05ZHi,<br />I couldn't reproduce it on 7.0 GA3. Maybe it's fixed? <br />Btw. 7.0 is very outdated community version, I strongly recommend to upgrade, there were more serious issues than just XSS, look at <a href="https://portal.liferay.dev/learn/security/known-vulnerabilities">https://portal.liferay.dev/learn/security/known-vulnerabilities</a>. <br />Sincerely,<br />-- tom +Tomáš Polešovský2020-01-09T10:50:05ZAntiSamy Liferay 7.0Iñigo Boyanohttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1182335182020-01-09T09:24:19Z2020-01-09T09:24:19ZHi, I have a security vulnerability about cross site scripting (XSS stored) in the liferay forum portlet (com_liferay_message_boards_web_portlet_MBPortlet).<br /><br />I've been searching a solution in the web and i've fount the following link in liferay documentation about antiSamy.<br /><a href="https://portal.liferay.dev/docs/7-0/deploy/-/knowledge_base/d/antisamy">https://portal.liferay.dev/docs/7-0/deploy/-/knowledge_base/d/antisamy</a><br /><a href="https://portal.liferay.dev/docs/7-0/deploy/-/knowledge_base/d/antisamy"></a><br /><a href="https://portal.liferay.dev/docs/7-0/deploy/-/knowledge_base/d/antisamy"></a>I've configured the antiSamy like link said in order to cannot put script tags in the forums fields:<br /><ul style="list-style: disc outside;"><li>Whitelist = *</li><li>Blacklist = com.liferay.message.boards.*</li></ul>Besides, i've checked the sanitizer-configuration.xml file and the script tag is inside with the "remove" action.<br /><br />Can I avoid the user use script tags in the creation of new forum thread or new forum category?<br /><br />The test i've made is tu put <script>alert("xss")</script> in category name and when i open this category, the alert show up.<br /><br />Kind regards,<br /><br /> ÍñigoIñigo Boyano2020-01-09T09:24:19Z