Submit Feedback
Knowledge Base
Published Sep. 10, 2025

Troubleshooting WAF Blocks on Special Characters in JavaScript URLs

Written By

Kanchan Bisht

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Issue

  • Web Application Firewalls (WAF) or other security layers block URLs containing special characters, such as "@" and "$".

  • This typically occurs when downloading Liferay's default JavaScript (JS) files, causing unexpected behavior or missing assets.

Environment

  • Liferay DXP (All Versions)

Resolution

To prevent Cross-Site Scripting (XSS), Liferay escapes user-submitted values on output rather than encoding input, which supports broader integration features. Because WAF configurations vary by provider, you must configure your firewall to allow Liferay-specific, non-malicious requests.

  1. Review your WAF or network logs to identify the specific Liferay URLs being blocked.

  2. Configure your WAF to whitelist the affected Liferay URLs, or adjust the rules to allow the @ and $ characters for Liferay-specific requests.

  3. Review your version's portal-ext.properties file for keywords or locales to help identify acceptable characters in your environment and further fine-tune your environment.

Additional Information

Did this article resolve your issue ?
Knowledge Base
Did this article resolve your issue ?