We have Liferay site that is ready to move into production. We ran a Vulnerability scan on the site recently and faced XSS issues which we need to solve before going LIVE.
Liferay is allowing the request like below,
https://<domain>/categories/sample/category/<script>xss</script>
https://<domain>/categories/sample/category/<script>alert("Script Executed")</script>
Above URL is being allowed in Liferay which needs to be validated, it will be helpful if anyone can guide me on how to validate this or prevent these requests. We are holding up our release due to this issue, any guidance will be greatly helpful.
Versions used:
Liferay : 7.1.1 GA2(Bundled version)
Tomacat: 9.0.10
I tried below options but that din't help in portal-ext.properties as well but that din't help:
xss.allow=false
xss.allow.com.liferay.portal.model.Portlet=false
xss.allow.com.liferay.portal.model.PortletPreferences=false
xss.allow.com.liferay.portlet.journal.model.JournalArticle.content=false
xss.allow.com.liferay.portlet.journal.model.JournalStructure.xsd=false
xss.allow.com.liferay.portlet.journal.model.JournalTemplate.xsl=false
I can see that some of the fix was already done in Liferay in older versions but still am facing it in 7.1.1,
Links of the fixes:
Link1
Link2
You can resolve the issue by having a filter which will validate the url , You can refer the link for using filter https://portal.liferay.dev/docs/7-1/tutorials/-/knowledge_base/t/servlet-filters You can refer below link for raising issue https://portal.liferay.dev/participate/feedback/report-issues
Related
Has anyone encountered this error when attempting to upload to the chrome store?
Package is invalid. Details: 'Could not load JavaScript 'scripts/scraper.js' for content script.'
Any direction would be appreciated,
Cheers
You may probably want to first try the suggestions in this SO post. As mentioned in the thread, Google doumentation recommends logging out and back in with the account you wan to use to publish your app or extension. Also, you might need to also accept the terms of service on the Chrome Developer dashboard.
In addition to that, I also found about a similar issue in Google Forum wherein it was mentioned that there has already been a filed bug which you can star for you to receive email updates. This is a bit old issue but, checking the thread, it hasn't been resolved yet.
I spotted a bug in Kentico 9, how can I discus it and report it to Kentico developers? I don't think that StackOverflow or any type of Q&A forum is a right place where report bugs.
You can submit a bug via Kentico`s submit support issue page or directly to mail: support#kentico.com or within Submit a support issue app in Kentico CMS or EMS (see attached image bellow). Please note there is 24/7 phone support, too (phone numbers are mentioned on the page above).
Please note, it is a good idea to check if your issue was not already resolved in your version of Kentico CMS or EMC - you can check it on Kentico devnet.
They have a bug reporting page: http://www.kentico.com/services/submit-support-issue
I have tried a few options for implementing search in Umbraco but none seems to be easy and working.
It would be great help if anybody can give some code help or some precise document for setting it up correctly.
Thanks in Advance..
If you are looking for an out-of-the-box library that enables website frontend search for Umbraco 10+, try USiteSearch
Note: I am the creator of this package
Take a look at the following links:
http://24days.in/umbraco/2013/getting-started-with-examine/
https://our.umbraco.org/documentation/Reference/Searching/Examine/
http://umbraco.com/follow-us/blog-archive/2011/9/16/examining-examine
These should have you up and running in no time. Any issues update the post. ;)
I saw the commercial library for iAd's from Monte but he isn't developping it anylonger due to the coming of InnerActive Ads in Livecode, right? So, I have created an InnerActive account and tried the only lesson I found on Livecode Lessons. That didn't work. So I posted a comment there which is awaiting moderation for quite some time now. I also mailed Inneractive, got a ticket replied, but no answer from them either.
If anyone has Ads with Inneractive running please tell/show us how you did it. I am calling mobileAdRegister with my appID and that seems okay. Then I try mobileAdCreate and mobileAdSetTopVisible and 'the result' tells me 'could not create ad'.
Dictionairy then tells me the app does not have Internet permissions or the registered app key is not valid. But I do check for internet connection and I'm sure I'm using my valid appID..
Regards, Amsterfrank
I have tested ads in the current release of LiveCode and they do indeed seem to be broken.
The LiveCode quality control team is aware of this and are currently investigating what could be the cause of this. A report on this issue can be viewed here-
http://quality.runrev.com/show_bug.cgi?id=11224
A workaround for now is to use an older version of LiveCode. After running a few tests, the last version of LiveCode that does not exhibit the mobile ad bug is LiveCode 6.0.0. This is available to download from here-
http://downloads.livecode.com/livecode/
With that being said, I would recommend holding off until the issue is resolved in a more current releases as there have been many bug/enhancements to LiveCode since 6.0.0
I know there are two apps on EE official page, Marsedit and Ecto, but both seems outdated, can someone confirm me that they are working ok with EE2 for publishing etc, or there is another app doing the same job?
I found this article http://eeinsider.com/blog/using-marsedit-3-with-expressionengine-2/ but the tutorial is gone I guess :(
Thank you