I am developing Webcenter Portal application with Webcenter 188.8.131.52.
We use People Connections message wall taskflow and noticed that it doesn't filter user input against script injection. For example, one can enter , script > alert('something'); < /script > and click publish. When message wall will be displayed for the next time - this alert window will appear. This is an obvious security flaw, is there any way to avoid it?
As far as I know we can only customize visualization, not implementation of webcenter taskflows?
I'm not sure but can you take a look at how the messages are rendered in the taskflow.
when they are rendered by an outputText, normally you can escape these things by setting escape="true" which is the default. THis means that if there is no explicit escape attriubte, it should escape by default and the issue should be found somewhere else.
I would also recommend opening a SR because this needs to be fixed!