Nomination window for the Adobe Community Advisor Program, Class of 2025, is now open!
SOLVED
How XSS Protection works in AEMaaCS?
1 Accepted Solution
Correct answer by
I haven't heard that AEMaaCS has changed the way it protects against XSS, by default there is a set of AntySamy rules that is based on the OWASP recommendation, this list is located under /libs/cq/xssprotection/config.xml
So, if you have customized this list via an overlay, you should have your new AnySamy config in /apps/cq/xssprotection/config.xml, as long as this is part of your codebase, this will be deployed and used by AEMaaCS.
You can find more info here:
https://blogs.perficient.com/2022/10/04/how-good-is-your-aem-security-xss/
Esteban Bustamante
Correct answer by
I haven't heard that AEMaaCS has changed the way it protects against XSS, by default there is a set of AntySamy rules that is based on the OWASP recommendation, this list is located under /libs/cq/xssprotection/config.xml
So, if you have customized this list via an overlay, you should have your new AnySamy config in /apps/cq/xssprotection/config.xml, as long as this is part of your codebase, this will be deployed and used by AEMaaCS.
You can find more info here:
https://blogs.perficient.com/2022/10/04/how-good-is-your-aem-security-xss/
Esteban Bustamante
I suppose you can test a couple of your custom rules. The customizations I have made in the past were related to allowing certain characters in specific tags' attributes. In my particular case, I was able to test by ensuring that those characters were not stripped out in the resulting HTML. Please be aware that these rules are evaluated by HTL (formerly Sightly). So, my test simply involved writing the characters in an HTML file and then checking if they appeared on the page.
Esteban Bustamante
