Adobe Experience Manager Sites & More

pvr_reddy · ‎30-03-2016

Hi,

We are developing a new set of templates off the foundation page components. On the view source we see the CQURLInfo object print a set of URL related info as is obtained from the input URL.

This opens it for XSS attacks. We would like to turn it off. I believe there is a config option in 5.6 , however we are still on CQ 5.5 and there is no config option available in the Felix.

Quick response is much appreciated.

thanks

pvr.

stevec2515680 · ‎30-03-2016

See this community thread:

http://help-forums.adobe.com/content/adobeforums/en/experience-manager-forum/adobe-experience-manage...

In 5.5 - looks like you need to file a day care ticket.

kautuk_sahni · ‎30-03-2016

Hi

Adding one more reference post :

Link:- http://help-forums.adobe.com/content/adobeforums/en/experience-manager-forum/adobe-experience-manage...

Please contact Customer care for it (https://daycare.day.com/home/createaticket.html ).

Thanks and Regards

Kautuk Sahni

pvr_reddy · ‎01-04-2016

The daycare support folks came back saying that it is not possible to turn off the CQURLInfo in 5.5.

Now, how are the developers supposed to use the <cq:includeClientLib ..> tag, if there is no protection from XSS attacks ?

I was expecting like a hotfix to turn this feature off.

If anyone has a better idea I would appreciate it.

-pvr

edubey · ‎01-04-2016

From AEM perspective as its already mentioned that it's available only from 5.6. But in order to make sure if some one tries to access CQURLInfo via JavaScript, he should not get data present in it.

You can use some JS, like (use this at the end of template).

window.CQURLInfo  = {}; console.log(window.CQURLInfo ); // return empty object

It might cause issue if any part of AEM is using data present in CQURLInfo

pvr_reddy · ‎01-04-2016

@edubey :

Thanks for the response !

Would appreciate it , if you could please list the said parts of CQ that use the data of CQURLInfo.
So that based on functionality we are using / not, we could decide whether to empty it or not.

edubey · ‎01-04-2016

I am not sure what part of AEM used CQURLInfo, maybe some community member can help or day care support can help on its usage.

Meanwhile, use the JS I provided and execute pages

To note: The code JS code I shared should work fine in any case reason being once pages and libraries are loaded then we are making it empty.

pvr_reddy · ‎01-04-2016

regarding the note: the observed behaviour is that for every <cq:includeClientLib> the code checks if CQURLInfo is output, if not that include will output it.

So, if enter the JS above in end of page the CQURLInfo might already have been printout out.

Adobe Experience Manager Sites & More

CQURLInfo : turning Off in CQ 5.5

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe