Escaping params in a form with ActionURLEscaping params in a form with ActionURLhttps://liferay.dev/en/c/message_boards/find_thread?p_l_id=119785333&threadId=1208200062024-03-29T01:19:48Z2024-03-29T01:19:48ZEscaping params in a form with ActionURLJose Gironhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=1208200052021-06-09T15:09:51Z2021-06-08T23:36:10Z<p>Hi everyone, i have a jsp with a form and its actionURL is defined
like this:</p>
<pre><code class="language-html"><liferay-portlet:actionURL portletName="buscador_WAR_cntxesuialumnosportlet" plid="${plidBuscador}" varImpl="searchTermURL" name="searchTerm" >
<liferay-portlet:param name="mvcPath" value="xxxx" />
<liferay-portlet:param name="back" value='<%=yyyy%>' />
</liferay-portlet:actionURL></code></pre>
<p>and then there's the form like this:</p>
<pre><code class="language-html"> <form action="${fn:escapeXml(searchTermURL)}" method="get" name="buscador-form" class="buscador-form">
<liferay-portlet:renderURLParams varImpl="searchTermURL"/>
<input name="term" placeholder='<liferay-ui:message key="buscador.placeholder" />' type="text" value="${fn:escapeXml(term)}" class="buscador-input" />
<input type="submit" name="tiny-buscador-button" class="tiny-buscador-button" value="" />
</form></code></pre>
<p>The problem i have is that a test run by Acunetix software is
detecting some Cross-site scripting vulnerabilities, for which i need
to escape the characters.</p>
<p>It detected one with the <input term> which seems to have been
solved by using the ${fn:escapeXml(term)}, but then it threw another
with the param "back" defined in the actionURL portlet. For
this, i tried using the ${fn:escapeXml(term)}, but to no avail. The
algorithm is setting the parameter to</p>
<p>"</script><script>0H6Q(9003)</script>"
and i would need to escape it. I've read about the option
<strong>escapeXML</strong>, but i don't know if it would be helpful
for this case, and i'm not sure how and where to use it exactly.</p>
<p>In case of being helpful, would it have to be put in the definition
of the parameter "back" or in the liferay-portlet:actionURL?</p>
<p>Or maybe in the liferay-portlet:renderURLParams variable?</p>
<p>By the way, i'm using Liferay 6.1.2 CE (i know it's pretty old, but
it's out of my hands to update it...)</p>
<p> </p>
<p>Thanks in advan