Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

XSS (cross-site scripting) vulnerability

Avatar

Level 3
Level 3
10/15/15 7:29:22 PM
http://www.abc.com/search-results.html?search-site=test&locale=en_US%22%3E%3Csvg+src%3DX+onload%3D%22prompt%28%27xss%27%29
 
I see a javacript alert coming up on the browser when i feed the above url due to XSS (cross-site scripting) vulnerability due to improper 
handling of provided URL parameters .please let me know how can slove this particular issue

Views

2.9K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 1
Level 1
10/15/15 7:29:22 PM

XSS is not something dispatcher can protect you against in general. XSS protection must be built into the code which produces the output being returned in response to requests from the users browser. E.g. in JSPs the XSSAPI (https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html) should be used to filter or encode any values being included in the output if they come from the request, the JCR, or any external data source.

-Rob

View solution in original post

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Employee
Employee
10/15/15 7:29:22 PM

Using Sightly will automatically XSS-protect all your output

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
10/15/15 7:29:22 PM

I am using CQ 5.6.1 without Sightly  ,do you have any links or code sinppet  as what I could add in dispatcher section that could protect from XSS ,which in general could be used to protect the  website from XSS

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 1
Level 1
10/15/15 7:29:22 PM

XSS is not something dispatcher can protect you against in general. XSS protection must be built into the code which produces the output being returned in response to requests from the users browser. E.g. in JSPs the XSSAPI (https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html) should be used to filter or encode any values being included in the output if they come from the request, the JCR, or any external data source.

-Rob

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
2/9/18 3:30:51 AM

Hi @chandra_cq5

I am also facing the same issue, did you got any solution.? I am trying to make the changes at code level but not able to figure out how to implement XSSAPI.

If you have done the changes please let me know.

Views

2.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Get List of locally created pages from local country site which are not rolled out from language-master Solved

Views

205

Likes

0

Replies

10
How to managing Cross-Domain Redirects in AEM Cloud

Views

79

Likes

0

Replies

2
I have a problem with the times being off when publishing to sites

Views

147

Likes

0

Replies

5
Add type="module" to the script tag when AEM introduces JS

Views

99

Likes

0

Replies

2
How to propagate template code changes to sites using that template

Views

112

Likes

0

Replies

4