Hi all,
How to prevent cross site scripting XSS attack fro websites ? I am able to inject scripts in my page which is not good !
I was under the impression overlaying the config.xml from libs to apps will work. Is there any additional configuration I need to look into ?
P.S. I have already gone through the owasp cheat sheet but didn't find anything of use.
Views
Replies
Total Likes
I guess not. However, You should also take care of XSS protection at the component level.
amrit1993 wrote...
Hi all,
How to prevent cross site scripting XSS attack fro websites ? I am able to inject scripts in my page which is not good !
I was under the impression overlaying the config.xml from libs to apps will work. Is there any additional configuration I need to look into ?
P.S. I have already gone through the owasp cheat sheet but didn't find anything of use.
Views
Replies
Total Likes
Are you using JSP or HTL?
By default HTL is taking care of this for you.
https://docs.adobe.com/docs/en/htl/overview.html#Increased Security
Views
Replies
Total Likes
jsp
Views
Replies
Total Likes
Do you have an example to share? For sure the XSS-logic needs to be done by yourself in your components.
Views
Replies
Total Likes
<%@page pageEncoding="UTF-8" contentType="text/html; charset=UTF-8"
%><%@include file="/apps/xyz/foundation/global.jsp"%>
<c:choose>
<c:when test="${modelCategory.selected}">
<a href="?selectedCategory=${modelCategory.categoryNameEncoded}" title="${modelCategory.dto.categoryName}"><b>${modelCategory.categoryText}</b></a>
</c:when>
<c:otherwise>
<a href="?selectedCategory=${modelCategory.categoryNameEncoded}" title="${modelCategory.dto.categoryName}">${modelCategory.categoryText}</a>
</c:otherwise>
</c:choose>
I am able to cross inject upon the href attribute.
Views
Replies
Total Likes
You need apply XSS rules yourself.
Here a cheat sheet: https://docs.adobe.com/docs/en/cq/5-6-1/developing/securitychecklist/_jcr_content/par/download/file....
Views
Replies
Total Likes
Thanks for the link,
I tried to follow that, but it throwed 500 server error.
<%@page pageEncoding="UTF-8" contentType="text/html; charset=UTF-8"
%><%@include file="/apps/xyz/foundation/global.jsp"%>
<% XSSAPI myXssAPI = xssAPI.getRequestSpecificAPI(request);%>
<c:choose>
<c:when test="${modelCategory.selected}">
<a href="<%= myXssAPI.getValidHref("?selectedCategory=${modelCategory.categoryNameEncoded}" title="${modelCategory.dto.categoryName}")%"><b>${modelCategory.categoryText}</b></a>
</c:when>
<c:otherwise>
<a href="<%= myXssAPI.getValidHref("?selectedCategory=${modelCategory.categoryNameEncoded}" title="${modelCategory.dto.categoryName}")%">${modelCategory.categoryText}</a>
</c:otherwise>
</c:choose>
Views
Replies
Total Likes
Here an example from :
You can just use xssAPI in your components:/apps/geometrixx-outdoors/components/page/head.jsp
<title><%= xssAPI.encodeForHTML(title) %></title>
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies