Legacy Knowledge Base
Published Jun. 30, 2025

Does having a script in the Analytics section qualify as a potential XSS vulnerability?

Written By

Christopher Lui

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

We can put Javascript code in the Matomo (DXP 7.4) or Piwiki (DXP 7.0-7.3) field where the code can be executed on every other page

  1. Go to a Site's Configuration -> Site Settings -> Analytics
  2. Under the Matomo or Piwik fields, paste something like:
"><img src=x onerror=alert(origin)>

3. Click on Save

From then on, any time you visit a page, you'll see a pop up.

Environment

DXP 7.0+

Resolution

This isn't a true vulnerability because fields like Matomo need to allow Javascript in order for those analytics services to work.
If you don't need Matomo, you can disable it by:

  1. Go to Control Panel - Instance Settings - Platform - Analytics
  2. Remove Matomo from the list and save

Now the Matomo field is no longer an option within the Site’s settings.

Additional Information

Does having a script in a fragment qualify as a potential XSS vulnerability?

Does having a script in a button fragment qualify as a potential XSS vulnerability?

 

Did this article resolve your issue ?

Legacy Knowledge Base