How to use XSS prevention for js file in cq5. Is there any OOB avilable for CQ5 to use it in JS. There are xssapi which can be used in JSP and JAVA. | Community
Skip to main content
ramyan60274153
ramyan60274153
Level 2
October 16, 2015
Solved

How to use XSS prevention for js file in cq5. Is there any OOB avilable for CQ5 to use it in JS. There are xssapi which can be used in JSP and JAVA.

  • October 16, 2015
  • 8 replies
  • 3452 views

How to use XSS prevention for js file in cq5. Is there any OOB avilable for CQ5 to use it in JS. There are xssapi which can be used in JSP  and JAVA.

How to implement the XSS prevention in Java script file.

Please assist.

Thanks,

Ramya

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by ogill

Hi Ramya,

here is an example of what to use[1]. When you use AEM6, sightly was created with security by default, so it is automatic.

Regards,

Opkar

[1] http://tostring.me/270/how-to-prevent-cross-site-scripting-xss-attack-on-your-adobe-cq-based-web-application/

8 replies

O
Adobe Employee
ogillAdobe EmployeeAccepted solution
Adobe Employee
October 16, 2015

Hi Ramya,

here is an example of what to use[1]. When you use AEM6, sightly was created with security by default, so it is automatic.

Regards,

Opkar

[1] http://tostring.me/270/how-to-prevent-cross-site-scripting-xss-attack-on-your-adobe-cq-based-web-application/

ramyan60274153
ramyan60274153Author
Level 2
October 16, 2015

Hi Scott/ Opkar,

Thanks for the reply. I have implemented the XSS api in JSP and in JAVA. I have issue in Javascript as well EX: window.document.referrer; whoul be validated for Client DOM  XSS.

What can be implemented here in JS file can you please suggest.

Thanks,

Ramya

O
Adobe Employee
ogillAdobe Employee
Adobe Employee
October 16, 2015

Hi Ramya,

here is another resource which is helpful[1]

The approach to XSS protection is "CQ applies the principle of filtering all user-supplied content upon output." What use case are you trying to protect against?

Regards,

Opkar

[1] http://docs.adobe.com/docs/en/cq/5-6-1/developing/securitychecklist/_jcr_content/par/download/file.res/xss_cheat_sheet.pdf
[2] https://www.linkedin.com/pulse/20141208052114-205306823-cq-aem-best-practices

ramyan60274153
ramyan60274153Author
Level 2
October 16, 2015

Hi Opkar,

Thanks for the reply . In my java script code I have var x = window.document.referrer; there is some tool to validate all the security issues.

for the this code : var x = window.document.referrer; The tool says hacker can include the script in the url while accessing which is a security issue.

I am unable to implement the any fix to encode the url and then store it the variable x.

What can be done in java script to encode the url to get ride of script inclusion.

Thanks,

Ramya

K
kalyan_venkat
Level 3
October 16, 2015

Hi Ramya,

You can use regular expression in javascript to replace all the tags ( like <html>,<p>,<script>) with null ("") before assigning it to a variable. I think there is no OOTB implementation for this.

regards,

Kalyan venkat

O
Adobe Employee
ogillAdobe Employee
Adobe Employee
October 16, 2015

Hi Ramya,

it would be worth asking for an example of this exploit and how others have guarded against it.

Regards,

Opkar

smacdonald2008
smacdonald2008
Level 10
October 16, 2015

See this AEM doc topic:

https://docs.adobe.com/docs/en/cq/5-6-1/developing/developing_guidelines_bestpractices.html#Protect against Cross-Site Scripting (XSS)

A
akashdeepAEM
Level 3
October 4, 2017

Hi  Ramya, could u pls assist me using xssAPI methods in .js file

I did not find anything related in the accepted answer link may be that was updated at some time.

Able to do it for jsp and java files doubt how to make use of xssAPI.encodeForJSString("")

in a js file in cq5.6

This is to do with xss issue reported by fortify tool for below code in js file

window.location.href = window.location.href + ("?mode=view");

Thanks

Terms & ConditionsAccessibility statement

Loading footer...