Does having a script in the Analytics section qualify as a potential XSS vulnerability?
Written By
Christopher Lui
How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!
While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.
Legacy Article
You are viewing an article from our legacy "FastTrack"
publication program, made available for informational purposes. Articles
in this program were published without a requirement for independent
editing or verification and are provided"as is" without
guarantee.
Before using any information from this article, independently verify its
suitability for your situation and project.
Issue
We can put Javascript code in the Matomo (DXP 7.4) or Piwiki (DXP 7.0-7.3) field where the code can be executed on every other page
- Go to a Site's Configuration -> Site Settings -> Analytics
- Under the Matomo or Piwik fields, paste something like:
"><img src=x onerror=alert(origin)>
3. Click on Save
From then on, any time you visit a page, you'll see a pop up.
Resolution
This isn't a true vulnerability because fields like Matomo need to allow Javascript in order for those analytics services to work.
If you don't need Matomo, you can disable it by:
- Go to Control Panel - Instance Settings - Platform - Analytics
- Remove Matomo from the list and save
Now the Matomo field is no longer an option within the Site’s settings.
Does having a script in a fragment qualify as a potential XSS vulnerability?
Does having a script in a button fragment qualify as a potential XSS vulnerability?
Did this article resolve your issue ?