Expand my Community achievements bar.

SOLVED

How to use XSS prevention for js file in cq5. Is there any OOB avilable for CQ5 to use it in JS. There are xssapi which can be used in JSP and JAVA.

Avatar

Level 3

How to use XSS prevention for js file in cq5. Is there any OOB avilable for CQ5 to use it in JS. There are xssapi which can be used in JSP  and JAVA.

How to implement the XSS prevention in Java script file.

Please assist.

Thanks,

Ramya

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi Ramya,

here is an example of what to use[1]. When you use AEM6, sightly was created with security by default, so it is automatic.

Regards,

Opkar

[1] http://tostring.me/270/how-to-prevent-cross-site-scripting-xss-attack-on-your-adobe-cq-based-web-app...

View solution in original post

8 Replies

Avatar

Correct answer by
Employee

Hi Ramya,

here is an example of what to use[1]. When you use AEM6, sightly was created with security by default, so it is automatic.

Regards,

Opkar

[1] http://tostring.me/270/how-to-prevent-cross-site-scripting-xss-attack-on-your-adobe-cq-based-web-app...

Avatar

Level 3

Hi Scott/ Opkar,

Thanks for the reply. I have implemented the XSS api in JSP and in JAVA. I have issue in Javascript as well EX: window.document.referrer; whoul be validated for Client DOM  XSS.

What can be implemented here in JS file can you please suggest.

Thanks,

Ramya

Avatar

Employee

Hi Ramya,

here is another resource which is helpful[1]

The approach to XSS protection is "CQ applies the principle of filtering all user-supplied content upon output." What use case are you trying to protect against?

Regards,

Opkar

[1] http://docs.adobe.com/docs/en/cq/5-6-1/developing/securitychecklist/_jcr_content/par/download/file.r...
[2] https://www.linkedin.com/pulse/20141208052114-205306823-cq-aem-best-practices

Avatar

Level 3

Hi Opkar,

Thanks for the reply . In my java script code I have var x = window.document.referrer; there is some tool to validate all the security issues.

for the this code : var x = window.document.referrer; The tool says hacker can include the script in the url while accessing which is a security issue.

I am unable to implement the any fix to encode the url and then store it the variable x.

What can be done in java script to encode the url to get ride of script inclusion.

Thanks,

Ramya

Avatar

Level 3

Hi Ramya,

You can use regular expression in javascript to replace all the tags ( like <html>,<p>,<script>) with null ("") before assigning it to a variable. I think there is no OOTB implementation for this.

regards,

Kalyan venkat

Avatar

Employee

Hi Ramya,

it would be worth asking for an example of this exploit and how others have guarded against it.

Regards,

Opkar

Avatar

Level 4

Hi  Ramya, could u pls assist me using xssAPI methods in .js file

I did not find anything related in the accepted answer link may be that was updated at some time.

Able to do it for jsp and java files doubt how to make use of xssAPI.encodeForJSString("")

in a js file in cq5.6

This is to do with xss issue reported by fortify tool for below code in js file

window.location.href = window.location.href + ("?mode=view");

Thanks