Adobe Experience Manager Sites & More

ramyan60274153 · 10/15/15

How to use XSS prevention for js file in cq5. Is there any OOB avilable for CQ5 to use it in JS. There are xssapi which can be used in JSP and JAVA.

How to implement the XSS prevention in Java script file.

Please assist.

Thanks,

Ramya

Opkar_Gill · 10/15/15

Hi Ramya,

here is an example of what to use[1]. When you use AEM6, sightly was created with security by default, so it is automatic.

Regards,

Opkar

[1] http://tostring.me/270/how-to-prevent-cross-site-scripting-xss-attack-on-your-adobe-cq-based-web-app...

View solution in original post

Opkar_Gill · 10/15/15

Hi Ramya,

here is an example of what to use[1]. When you use AEM6, sightly was created with security by default, so it is automatic.

Regards,

Opkar

[1] http://tostring.me/270/how-to-prevent-cross-site-scripting-xss-attack-on-your-adobe-cq-based-web-app...

ramyan60274153 · 10/15/15

Hi Scott/ Opkar,

Thanks for the reply. I have implemented the XSS api in JSP and in JAVA. I have issue in Javascript as well EX: window.document.referrer; whoul be validated for Client DOM XSS.

What can be implemented here in JS file can you please suggest.

Thanks,

Ramya

Opkar_Gill · 10/15/15

Hi Ramya,

here is another resource which is helpful[1]

The approach to XSS protection is "CQ applies the principle of filtering all user-supplied content upon output." What use case are you trying to protect against?

Regards,

Opkar

[1] http://docs.adobe.com/docs/en/cq/5-6-1/developing/securitychecklist/_jcr_content/par/download/file.r...
[2] https://www.linkedin.com/pulse/20141208052114-205306823-cq-aem-best-practices

ramyan60274153 · 10/15/15

Hi Opkar,

Thanks for the reply . In my java script code I have var x = window.document.referrer; there is some tool to validate all the security issues.

for the this code : var x = window.document.referrer; The tool says hacker can include the script in the url while accessing which is a security issue.

I am unable to implement the any fix to encode the url and then store it the variable x.

What can be done in java script to encode the url to get ride of script inclusion.

Thanks,

Ramya

kalyan_venkat · 10/15/15

Hi Ramya,

You can use regular expression in javascript to replace all the tags ( like <html>,<p>,<script>) with null ("") before assigning it to a variable. I think there is no OOTB implementation for this.

regards,

Kalyan venkat

Opkar_Gill · 10/15/15

Hi Ramya,

it would be worth asking for an example of this exploit and how others have guarded against it.

Regards,

Opkar

smacdonald2008 · 10/15/15

See this AEM doc topic:

https://docs.adobe.com/docs/en/cq/5-6-1/developing/developing_guidelines_bestpractices.html#Protect against Cross-Site Scripting (XSS)

akashdeepAEM · 10/4/17

Hi Ramya, could u pls assist me using xssAPI methods in .js file

I did not find anything related in the accepted answer link may be that was updated at some time.

Able to do it for jsp and java files doubt how to make use of xssAPI.encodeForJSString("")

in a js file in cq5.6

This is to do with xss issue reported by fortify tool for below code in js file

window.location.href = window.location.href + ("?mode=view");

Thanks

Adobe Experience Manager Sites & More

How to use XSS prevention for js file in cq5. Is there any OOB avilable for CQ5 to use it in JS. There are xssapi which can be used in JSP and JAVA.

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe