How XSS Protection works in AEMaaCS? | Community
Skip to main content
K
KarthickVe
Level 4
September 27, 2023
Solved

How XSS Protection works in AEMaaCS?

  • September 27, 2023
  • 1 reply
  • 2556 views

Lets say, I have  anti-samy-rules configuration in AEM on premise environment how do i migrate to AEMaaCS?

 

Does AEMaaCS will take care xss protection??

 

Best answer by EstebanBustamante

I haven't heard that AEMaaCS has changed the way it protects against XSS, by default there is a set of AntySamy rules that is based on the OWASP recommendation, this list is located under /libs/cq/xssprotection/config.xml

 

So, if you have customized this list via an overlay, you should have your new AnySamy config in /apps/cq/xssprotection/config.xml, as long as this is part of your codebase, this will be deployed and used by AEMaaCS. 

 

You can find more info here:

https://experienceleague.adobe.com/docs/experience-manager-65/developing/introduction/security.html?lang=en#protect-against-cross-site-scripting-xss 

https://blogs.perficient.com/2022/10/04/how-good-is-your-aem-security-xss/ 

 

 

 

1 reply

EstebanBustamante
Community Advisor and Adobe Champion
EstebanBustamanteCommunity Advisor and Adobe ChampionAccepted solution
Community Advisor and Adobe Champion
September 27, 2023

I haven't heard that AEMaaCS has changed the way it protects against XSS, by default there is a set of AntySamy rules that is based on the OWASP recommendation, this list is located under /libs/cq/xssprotection/config.xml

 

So, if you have customized this list via an overlay, you should have your new AnySamy config in /apps/cq/xssprotection/config.xml, as long as this is part of your codebase, this will be deployed and used by AEMaaCS. 

 

You can find more info here:

https://experienceleague.adobe.com/docs/experience-manager-65/developing/introduction/security.html?lang=en#protect-against-cross-site-scripting-xss 

https://blogs.perficient.com/2022/10/04/how-good-is-your-aem-security-xss/ 

 

 

 

Esteban Bustamante
    K
    KarthickVeAuthor
    Level 4
    September 28, 2023

    @estebanbustamante , After implementing it how to test it for confirmation ?

     

    EstebanBustamante
    Community Advisor and Adobe Champion
    EstebanBustamanteCommunity Advisor and Adobe Champion
    Community Advisor and Adobe Champion
    September 28, 2023

    I suppose you can test a couple of your custom rules. The customizations I have made in the past were related to allowing certain characters in specific tags' attributes. In my particular case, I was able to test by ensuring that those characters were not stripped out in the resulting HTML. Please be aware that these rules are evaluated by HTL (formerly Sightly). So, my test simply involved writing the characters in an HTML file and then checking if they appeared on the page.

     

    https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/xss-protection-in-aem/m-p/315398

    https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-overlay-libs-cq-xssprotection-config-xml-to-project/m-p/459732 

     

     

    Esteban Bustamante
      Terms & ConditionsAccessibility statement

      Loading footer...