Portlet preferences XSS validations in AdminPortlet (Portlet instances) should be
disabled
------------------------------------------------------------------------------------------
Key: JBPORTAL-2449
URL:
https://jira.jboss.org/jira/browse/JBPORTAL-2449
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: 2.7.2 Final
Environment: Sun JDK 1.5,
JBoss AS 4.2.3.GA,
JBoss Portal from branch27
Reporter: Marek Posolda
Fix For: 2.8 Final
See comments in JBEPP-104. Issue is fixed in EPP43 branch but not in branch27. Description
of issue:
1) Go to
http://localhost:8080/portal/auth/portal/admin
2) Go to "portlet definitions" and create new instance of Content Management
System Portlet
3) Go to "portlet instances" and go to portlet preferences of new CMSPortlet
instance.
4) Try to change "indexpage" preference to value:
"/default/indexx.html". Click to button "Update".
5) You have validation message that characters / and . are not permitted (but they should
be).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira