Summary

    * Status: View templates vulnerable to JS injection
    * CCP Issue: CCP-902, Product Jira Issue: ECMS-2174.
    * Complexity: N/A

The Proposal
Problem description

What is the problem to fix?

View templates for various content types in SitePublisher are vulnerable to JS injection / XSS attack.

When rendering a view template (for example when opening a document in ContentExplorer portlet), the JavaScript is executed for all textual fields. If the content item has JS in a 'Title' field it gets executed even when listing folder items.

This is particularly dangerous for various forms generated by Form Generator and displayed on web site by Basic/StandardContentCreator portlet to collect user feedback. Anonymous attacker can use it to run script with management or admin privileges.

Steps to Reproduce:
1) go to ACME site's Contact Us page
2) put <script>alert('XSS')</script> into one of the textual input fields and send
3) log in as root
4) go to ContentExplorer --> Sites Management --> acme --> documents
5) open the saved item

The JS gets executed with root's privileges.
Fix description

How is the problem fixed?

    * We will filter on the front side when saving contents to avoid this XSS vulnerability. When user input content into the textual input fields, we will remove section of content which throw XSS error, such as:
         1. Remove content inside <script> tag
         2. Remove javascript call
         3. Remove on* attributes like onLoad or onClick

Patch files:ECMS-2174.patch

Tests to perform

Reproduction test
* Steps to reproduce :

    * create a new node type exo:navigable (node type definition attached)
    * in Site Administration > Advanced Configuration > Manage Scripts, create a new script called MakeNavigableScript.groovy (script attached)
    * in Site Administration > Advanced Configuration > Create an Action Type, create a new action type with the name exo:makeNavigable and choose the previously created script.
    * in Site Administration > Manage Templates, add a new template for the exo:makeNavigable node type. Leave the default dialog and view templates.
    * go to the Sites Explorer, in Sites Managements > acme
    * create a new folder called testaction
    * go in this folder and click on Manage Actions (add this button in the view if not present)
    * select the Add Action tab
    * select exo:makeNavigable action
    * enter a name, an exo_name and enter "node_added" in the exo_lifecyclePhase field
    * save
    * add a new article in the testaction folder
      ---> the article does not have the exo:navigable mixin whereas the debug traces tell the contrary
    * add a new webcontent in the testaction folder
      ---> the webcontent root node does not have the exo:navigable mixin but its default.html file has it.

Tests performed at DevLevel

    * cf above

Tests performed at QA/Support Level

    * cf above

Documentation changes

Documentation changes:

    * No

Configuration changes

Configuration changes:

    * No

Will previous configuration continue to work?

    * Yes

Risks and impacts

Can this bug fix have any side effects on current client projects?

    * N/A.

Function or ClassName change

    * core/webui/src/main/java/org/exoplatform/ecm/webui/utils/DialogFormUtil.java
    * core/webui/src/main/java/org/exoplatform/wcm/webui/Utils.java

Is there a performance risk/cost?

    * No

Validation (PM/Support/QA)

PM Comment
* PL review: Patch validated

Support Comment
* Support review: Patch validated

QA Feedbacks
*

