Does having a script in the Analytics section qualify as a potential XSS vulnerability?
Written By
Christopher Lui
How To articles are not official guidelines or officially
supporteddocumentation. They are community-contributed content and may
not alwaysreflect the latest updates to Liferay DXP. We welcome your
feedback toimprove How to articles!
While we make every effort to ensure this Knowledge Base is accurate,
itmay not always reflect the most recent updates or official
guidelines.We appreciate your understanding and encourage you to reach
out with anyfeedback or concerns.
Legacy Article
You are viewing an article from our legacy
"FastTrack"publication program, made available for
informational purposes. Articlesin this program were published without a
requirement for independentediting or verification and are provided
"as is" withoutguarantee.
Before using any information from this article, independently verify
itssuitability for your situation and project.
Issue
We can put Javascript code in the Matomo (DXP 7.4) or Piwiki (DXP 7.0-7.3) field where the code can be executed on every other page
- Go to a Site's Configuration -> Site Settings -> Analytics
- Under the Matomo or Piwik fields, paste something like:
"><img src=x onerror=alert(origin)>
3. Click on Save
From then on, any time you visit a page, you'll see a pop up.
Resolution
This isn't a true vulnerability because fields like Matomo need to allow Javascript in order for those analytics services to work.
If you don't need Matomo, you can disable it by:
- Go to Control Panel - Instance Settings - Platform - Analytics
- Remove Matomo from the list and save
Now the Matomo field is no longer an option within the Site’s settings.
Does having a script in a fragment qualify as a potential XSS vulnerability?
Does having a script in a button fragment qualify as a potential XSS vulnerability?
Did this article resolve your issue ?