Cross Site Scripting (XSS) related doubt in AEM

Question

Hi,I have a very limited/no knowledge on XSS protection in AEM.Went through the links http://tostring.me/270/how-to-prevent-cross-site-scripting-xss-attack-on-your-adobe-cq-based-web-application/https://docs.adobe.com/content/docs/en/cq/5-6-1/deploying/security_checklist.html#Protect%20against%20Cross-Site%20Scripting%20%28XSS%29My doubt is 1] In most of the cases we will have CDN/Dispatcher front-ending the AEM websites. So, how is it that some malicious code injected on the user-facing[lets say website having CDN] page, can be handled at AEM level. Failing to understand this.2] Also, went through the OOTB config file /libs/cq/xssprotection/config.xml, But could not understand much.If you can point to any references articles /links explaining the same, it would be helpful.

MC_Stuff · Accepted Answer

XSS comes into picture if you storing something in your database or fiesystem. Example forms page where user can input data at time of registration etc... and you are storing it. CDN/Dispatcher can filter other attacks like DDOS the incoming traffic flooding into your system & also it is not meant to validate the user supplied data in general.You need to be familiar with xml,xsd and AntiSamy to understand the details.  https://www.owasp.org/index.php/AntiSamy_DirectivesThanks,

cquser1 · Answer

Hi,Thank you for your reply.In case, we have an AEM site, which does not accept any sort of input from users and just renders content, we need not worry about the XSS configuration thing, correct?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded