Hello Liferay community,
I am working on a Liferay portal (e.g. version 7.4) and have observed that, when a page is rendered, the ThemeDisplay (or Liferay.ThemeDisplay in JS) includes many fields such as remoteAddr, userId, companyId, scopeGroupId, etc. Exposing some of these can impose security risks (e.g. information disclosure, enumeration, reconnaissance).
My goal is to limit or remove the more sensitive fields (for example, remoteAddr, realUserId, getUserId,getSiteAdminURL) while still preserving fields that client extensions, JavaScript, or fragments might depend on (such as getCompanyId(), getScopeGroupId(), portalURL, languageId, etc.).
My questions:
-
Are there built-in configurations (portal-properties, module settings, theme config, etc.) in Liferay that allow hiding or filtering certain fields in
ThemeDisplaywhen rendering to HTML / JavaScript? -
If there is no built-in option, has anyone implemented examples or patterns (override JSP / FreeMarker / hook / servlet filter) to sanitize or strip sensitive fields from
ThemeDisplay? If so, could you share sample code or approaches? -
Would such modifications break or interfere with client extensions, fragments, or Liferay’s JS APIs? What pitfalls should one watch out for?
Thank you in advance for any insights or experience you can share!
