Liferay Portal p_p_id parameter vulnerable to persistent cross-site script https://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=4504801 2026-05-31T20:18:24Z 2026-05-31T20:18:24Z Olaf Kock https://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=5291169 2010-07-12T09:30:56Z 2010-07-12T09:30:56Z

With fisheye being down, my only guess would be to hunt down the relevant commit in svn with your favourite svn client. The commits contain the ticket number as comment.<br /><br />Sorry

Olaf Kock 2010-07-12T09:30:56Z Chris Kauffman https://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=5283267 2010-07-09T21:23:21Z 2010-07-09T21:23:21Z

I need to back port this fix into a 5.1.2 code base. However, fisheye is down for the count with no hope of ever coming back. Can someone post what was actually changed to fix this?<br /><br />Thank you,

Chris Kauffman 2010-07-09T21:23:21Z Olaf Kock https://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=4541558 2010-01-29T18:08:07Z 2010-01-29T18:08:07Z

<div class="quote-title">Kazutaka KAMIYA:</div><blockquote>Because there was not a function called HtmlUtil#escapeJS in 5.2.3, I decided to use org.apache.commons.lang.StringEscapeUtils#escapeJavaScript instead.</blockquote><br />You could also just add HtmlUtil to the backport and add it to the patch. This way you&#39;d have the same effect as the patch from FishEye

Olaf Kock 2010-01-29T18:08:07Z Kazutaka KAMIYA https://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=4534673 2010-01-28T11:26:26Z 2010-01-28T11:26:26Z

Thank you for your advice.<br /><br />I read FishEye. Therefore I understood that there was a difference in 5.2.3 and 6.0.0 (5.3).<br />Because there was not a function called HtmlUtil#escapeJS in 5.2.3, I decided to use org.apache.commons.lang.StringEscapeUtils#escapeJavaScript instead.<br /><br />However, I worry by this method about correct.

Kazutaka KAMIYA 2010-01-28T11:26:26Z Olaf Kock https://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=4507296 2010-01-21T20:50:42Z 2010-01-21T20:50:42Z

Look at the patches in the FishEye tab at <a href="http://issues.liferay.com/browse/LPS-6034">LPS-6034</a> and see if the patches to trunk still apply without any work to the 5.2.3 codebase. Chances are that - when the code has changed - you have to look in a different line, but not in a different class.

Olaf Kock 2010-01-21T20:50:42Z Olaf Kock https://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=4507291 2010-01-21T20:44:18Z 2010-01-21T20:44:18Z

<div class="quote-title">Lisa Simpson:</div><blockquote>I truly wish that Liferay would but an announcement portlet in the control panel for administrators and omni-admins so that they could push out important announcements like that to all of their users.</blockquote><br /><br />The good news is, that now you can do this yourself - at least in unpatched versions.<br /><br />(ducks and hides in the dark)

Olaf Kock 2010-01-21T20:44:18Z Lisa Simpson https://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=4507084 2010-01-21T19:33:32Z 2010-01-21T19:33:32Z

I truly wish that Liferay would but an announcement portlet in the control panel for administrators and omni-admins so that they could push out important announcements like that to all of their users.

Lisa Simpson 2010-01-21T19:33:32Z Kazutaka KAMIYA https://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=4504800 2010-01-21T08:36:10Z 2010-01-21T08:36:10Z

Hi,<br /><br />I found this report recently.<br /><br />US-CERT Vulnerability Note VU#750796&#8232;&#8232;&#8232;<br />Liferay Portal p_p_id parameter vulnerable to persistent cross-site scripting&#8232;&#8232;&#8232;&#8232;http://www.kb.cert.org/vuls/id/750796&#8232;<br /><br /><br />To solve this problem, should I obtain the source code of 5.3 from Subversion?<br />Now, We are developing using 5.2.3 ext and plugin_sdk.<br />Is there compatibility of 5.2 and 5.3?<br /><br />Thanks.

Kazutaka KAMIYA 2010-01-21T08:36:10Z