-
Bug
-
Resolution: Fixed
-
Major
-
5.3.14, 5.4.7
-
None
-
-
Empty show more show less
-
Kromeriz 52
-
1
Try this on calling the sample app:
https://demo.magnolia-cms.com/.magnolia/admincentral#app:sample:editor;%3Cimg%20src=y%20onerror=alert(String.fromCharCode(88,83,83,32,97,116,32)+document.domain)%3E
As the sample-app is not product critical, the workaround is simple:
Exclude it from the webapp's pom.
Excluding it:
The app is Maven wise:
<dependency> <groupId>info.magnolia.sample</groupId> <artifactId>magnolia-sample-app</artifactId> </dependency>
And is bundled via the ui project:
<dependency> <groupId>info.magnolia.ui</groupId> <artifactId>magnolia-ui-project</artifactId> </dependency>
And in the end added/bundled into the webapp vie the enterprise webapp:
<dependency> <!-- Used for the Maven war:overlay -> defines the WAR's structure, the configs, web.xml etc. --> <groupId>info.magnolia.eebundle</groupId> <artifactId>magnolia-enterprise-webapp</artifactId> <type>war</type> </dependency> <dependency> <!-- Using the imported 'dependencyManagement' from the parent pom --> <groupId>info.magnolia.eebundle</groupId> <artifactId>magnolia-enterprise-webapp</artifactId> <type>pom</type> </dependency>
How to get rid of it:
In the project's webapp pom:
The prevent that the jar is bundled anymore, exclude the artifact from the webapp using Maven exclusions:
dependency> <!-- Used for the Maven war:overlay -> defines the WAR's structure, the configs, web.xml etc. --> <groupId>info.magnolia.eebundle</groupId> <artifactId>magnolia-enterprise-webapp</artifactId> <type>war</type> <exclusions> <exclusion> <groupId>info.magnolia.sample</groupId> <artifactId>magnolia-sample-app</artifactId> </exclusion> </exclusions> </dependency> <dependency> <!-- Using the imported 'dependencyManagement' from the parent pom --> <groupId>info.magnolia.eebundle</groupId> <artifactId>magnolia-enterprise-webapp</artifactId> <type>pom</type> <exclusions> <exclusion> <groupId>info.magnolia.sample</groupId> <artifactId>magnolia-sample-app</artifactId> </exclusion> </exclusions> </dependency>
If you have added explicit the ui project in the webapps pom, you need to exclude the sample-app artefact also in the UI dependency.
In a live system where its already installed:
As the module does not impact anything else, its configs can be savely removed.
- Delete the module configuration in: config:/modules/sample-app
and Delete its registration int he UI: config:/modules/ui-admincentral/config/appLauncherLayout/groups/dev/apps/sample
Here the groovy code you could run as groovy scripts on live instances:session = ctx.getJCRSession(“config”) session.getNode("/modules/sample-app").remove() session.getNode("/modules/ui-admincentral/config/appLauncherLayout/groups/dev/apps/sample").remove() session.save()
- Shutdown the instance and remove the jar from the WEB-INF/lib
Also ensure that it won't be re-bundleld by excluding the jar in the webapp's pom. - start up again.