Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

How XSS Protection works in AEMaaCS?

Avatar

Level 4
Level 4
9/26/23 11:29:04 PM

Lets say, I have  anti-samy-rules configuration in AEM on premise environment how do i migrate to AEMaaCS?

 

Does AEMaaCS will take care xss protection??

 

Views

1.0K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
9/27/23 6:07:29 AM

I haven't heard that AEMaaCS has changed the way it protects against XSS, by default there is a set of AntySamy rules that is based on the OWASP recommendation, this list is located under /libs/cq/xssprotection/config.xml

 

So, if you have customized this list via an overlay, you should have your new AnySamy config in /apps/cq/xssprotection/config.xml, as long as this is part of your codebase, this will be deployed and used by AEMaaCS. 

 

You can find more info here:

https://experienceleague.adobe.com/docs/experience-manager-65/developing/introduction/security.html?... 

https://blogs.perficient.com/2022/10/04/how-good-is-your-aem-security-xss/ 

 

 

 


Esteban Bustamante

View solution in original post

Views

992

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
9/27/23 6:07:29 AM

I haven't heard that AEMaaCS has changed the way it protects against XSS, by default there is a set of AntySamy rules that is based on the OWASP recommendation, this list is located under /libs/cq/xssprotection/config.xml

 

So, if you have customized this list via an overlay, you should have your new AnySamy config in /apps/cq/xssprotection/config.xml, as long as this is part of your codebase, this will be deployed and used by AEMaaCS. 

 

You can find more info here:

https://experienceleague.adobe.com/docs/experience-manager-65/developing/introduction/security.html?... 

https://blogs.perficient.com/2022/10/04/how-good-is-your-aem-security-xss/ 

 

 

 


Esteban Bustamante

Views

993

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Community Advisor
Community Advisor
9/28/23 6:18:54 AM
In response to vkarthick

I suppose you can test a couple of your custom rules. The customizations I have made in the past were related to allowing certain characters in specific tags' attributes. In my particular case, I was able to test by ensuring that those characters were not stripped out in the resulting HTML. Please be aware that these rules are evaluated by HTL (formerly Sightly). So, my test simply involved writing the characters in an HTML file and then checking if they appeared on the page.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/xss-protection-in-aem/m-p/...

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-overlay-libs-cq-xss... 

 

 


Esteban Bustamante

Views

957

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Reg: Video Smartcrops in AEM 6.5

Views

41

Likes

0

Replies

1
Custom index in AEMaaCS environment appeared like it might be causing problem with OOTB query, but updating the index didn't fix it

Views

131

Likes

0

Replies

9
Could not log in with my Adobe account after de-hibernating

Views

70

Likes

0

Replies

3
How to propagate template code changes to sites using that template

Views

74

Likes

0

Replies

3
how to implement nonce for Content-Security-Policy script-src directive in dispatcher

Views

91

Likes

0

Replies

2