Cross-Site Scripting: Reflected

Issue

A Cross-Site Scripting (XSS) vulnerability was detected in the web application. Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script in Liferay.
Steps to reproduce:
1. Create a page named Demo.
2. Access the page using the URL http://localhost:8080/demo%26— The URL remained unchanged.
3. Access the page using http://localhost:8080/demo%36⁣— The URL was automatically decoded to http://localhost:8080/demo6.

The reported behavior regarding URL encoding with %36 and %26 is expected and does not represent a security vulnerability. It aligns with how browsers interpret and handle encoded characters in URLs.
- %36 represents the character '6', so it is decoded to '6'.
- %26 represents the character'&', which is a reserved character in URLs (commonly used to separate query parameters). Browsers typically retain such characters in their encoded form to preserve URL integrity.
- %36 is URL encoding for the character '6'. So %36 → '6' and %26 is URL encoding for the character '&'. So %26→ '&'.
Mitigate XSS vulnerabilities by validating and sanitizing user input using strict allowlists and regular expressions.
Use Liferay's built-in utilities for escaping output:
- HtmlUtil.escape() or HtmlUtil.escapeAttribute(): Properly escapes dynamic content when displaying it.
- URLEncoder.encode(): Encodes URL parameters to prevent script injection.