Skip to main content
C
chandra_cq5
Level 3
October 16, 2015
Solved

XSS (cross-site scripting) vulnerability

  • October 16, 2015
  • 5 replies
  • 3564 views
http://www.abc.com/search-results.html?search-site=test&locale=en_US%22%3E%3Csvg+src%3DX+onload%3D%22prompt%28%27xss%27%29
 
I see a javacript alert coming up on the browser when i feed the above url due to XSS (cross-site scripting) vulnerability due to improper 
handling of provided URL parameters .please let me know how can slove this particular issue
    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by Rob_Ryan

    XSS is not something dispatcher can protect you against in general. XSS protection must be built into the code which produces the output being returned in response to requests from the users browser. E.g. in JSPs the XSSAPI (https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html) should be used to filter or encode any values being included in the output if they come from the request, the JCR, or any external data source.

    -Rob

    5 replies

    smacdonald2008
    smacdonald2008
    Level 10
    October 16, 2015

    See this AEM topic:

    https://docs.adobe.com/docs/en/cq/5-6-1/developing/developing_guidelines_bestpractices.html#Protect against Cross-Site Scripting (XSS)

    R
    Rob_RyanAccepted solution
    October 16, 2015

    XSS is not something dispatcher can protect you against in general. XSS protection must be built into the code which produces the output being returned in response to requests from the users browser. E.g. in JSPs the XSSAPI (https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html) should be used to filter or encode any values being included in the output if they come from the request, the JCR, or any external data source.

    -Rob

      C
      chandra_cq5Author
      Level 3
      October 16, 2015

      I am using CQ 5.6.1 without Sightly  ,do you have any links or code sinppet  as what I could add in dispatcher section that could protect from XSS ,which in general could be used to protect the  website from XSS

      Feike_Visser1
      Adobe Employee
      Feike_Visser1Adobe Employee
      Adobe Employee
      October 16, 2015

      Using Sightly will automatically XSS-protect all your output

      anoopo70540109
      anoopo70540109
      Level 2
      February 9, 2018

      Hi @chandra_cq5

      I am also facing the same issue, did you got any solution.? I am trying to make the changes at code level but not able to figure out how to implement XSSAPI.

      If you have done the changes please let me know.

      Terms & ConditionsAccessibility statement

      Loading footer...