HTML Injection in the Classic Search Portlet (Legacy)

Issue

Our security tool identified HTML Injection issue.

Reproduction Steps:
1. Start up Liferay DXP 7.4 Update 62
2. On the home page, add a widget "Search".
3. In the address bar, enter the URL

localhost:8080/home?p_p_id=com_liferay_portal_search_web_portlet_SearchPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_com_liferay_portal_search_web_portlet_SearchPortlet_mvcPath=%2Fsearch.jsp&_com_liferay_portal_search_web_portlet_SearchPortlet_redirect=http%3A%2F%2Flocalhost:8080%2Fhome%3Fp_p_id%3Dcom_liferay_portal_search_web_portlet_SearchPortlet%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview&_com_liferay_portal_search_web_portlet_SearchPortlet_formDate=%3Cmeta%20content%3D%22was-tnb-klk%22%3E%3Cdiv%20style%3D%22was-tnb-klk%22%3E%3Ca%20style%3D%22was-tnb-klk%22%3E%3Cstyle%20id%3D%22was-tnb-klk%22%3E&_com_liferay_portal_search_web_portlet_SearchPortlet_keywords=nessus_was_textpw96gild&_com_liferay_portal_search_web_portlet_SearchPortlet_scope=this-site

4. Check the source code of the page and observe the malicious code "was-tnb-klk" is inserted.

Environment

Liferay DXP 7.4

Resolution

The mentioned code is inserted in a part of the JavaScript code, not the HTML code. It is escaped for JavaScript like below. Therefore, this is a false positive.

Liferay.Portlet.onLoad(
{
	canEditTitle: false,
	columnPos: 0,
	isStatic: 'end',
	namespacedId: 'p_p_id_com_liferay_portal_search_web_portlet_SearchPortlet_',
	portletId: 'com_liferay_portal_search_web_portlet_SearchPortlet',
	refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d6\x26p_p_id\x3dcom_liferay_portal_search_web_portlet_SearchPortlet\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dmaximized\x26p_p_mode\x3dview\x26p_p_col_id\x3dnull\x26p_p_col_pos\x3dnull\x26p_p_col_count\x3dnull\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fhome\x253Fp_p_id\x253Dcom_liferay_portal_search_web_portlet_SearchPortlet\x2526p_p_lifecycle\x253D0\x2526p_p_state\x253Dmaximized\x2526p_p_mode\x253Dview\x2526_com_liferay_portal_search_web_portlet_SearchPortlet_mvcPath\x253D\x25252Fsearch\x2ejsp\x2526_com_liferay_portal_search_web_portlet_SearchPortlet_redirect\x253Dhttp\x25253A\x25252F\x25252Flocalhost\x253A8080\x25252Fhome\x25253Fp_p_id\x25253Dcom_liferay_portal_search_web_portlet_SearchPortlet\x252526p_p_lifecycle\x25253D0\x252526p_p_state\x25253Dnormal\x252526p_p_mode\x25253Dview\x2526_com_liferay_portal_search_web_portlet_SearchPortlet_formDate\x253D\x25253Cmeta\x252520content\x25253D\x252522was-tnb-klk\x252522\x25253E\x25253Cdiv\x252520style\x25253D\x252522was-tnb-klk\x252522\x25253E\x25253Ca\x252520style\x25253D\x252522was-tnb-klk\x252522\x25253E\x25253Cstyle\x252520id\x25253D\x252522was-tnb-klk\x252522\x25253E\x2526_com_liferay_portal_search_web_portlet_SearchPortlet_keywords\x253Dnessus_was_textpw96gild\x2526_com_liferay_portal_search_web_portlet_SearchPortlet_scope\x253Dthis-site',
	refreshURLData: {"_com_liferay_portal_search_web_portlet_SearchPortlet_keywords":["nessus_was_textpw96gild"],"_com_liferay_portal_search_web_portlet_SearchPortlet_mvcPath":["\/search.jsp"],"_com_liferay_portal_search_web_portlet_SearchPortlet_scope":["this-site"],"_com_liferay_portal_search_web_portlet_SearchPortlet_redirect":["http:\/\/localhost:8080\/home?p_p_id=com_liferay_portal_search_web_portlet_SearchPortlet&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view"],"_com_liferay_portal_search_web_portlet_SearchPortlet_formDate":["

Additional Information

The Classic Search portlet has been deprecated since 7.1. Please see Deprecated Apps in 7.1: What to Do. We are working on removing it in 7.4. Please see LPS-154985. Please migrate away from this portlet if you are using this portlet in your 7.4 environment.