Adobe Experience Manager Sites & More

Are you using JSP or HTL?

By default HTL is taking care of this for you.

https://docs.adobe.com/docs/en/htl/overview.html#Increased Security

jsp

Do you have an example to share? For sure the XSS-logic needs to be done by yourself in your components.

<%@page pageEncoding="UTF-8" contentType="text/html; charset=UTF-8"
%><%@include file="/apps/xyz/foundation/global.jsp"%>

<c:choose>
    <c:when test="${modelCategory.selected}">
        <a href="?selectedCategory=${modelCategory.categoryNameEncoded}" title="${modelCategory.dto.categoryName}"><b>${modelCategory.categoryText}</b></a>
    </c:when>
    <c:otherwise>
        <a href="?selectedCategory=${modelCategory.categoryNameEncoded}" title="${modelCategory.dto.categoryName}">${modelCategory.categoryText}</a>
    </c:otherwise>
</c:choose>

I am able to cross inject upon the href attribute.

You need apply XSS rules yourself.

Here a cheat sheet: https://docs.adobe.com/docs/en/cq/5-6-1/developing/securitychecklist/_jcr_content/par/download/file....

Thanks for the link,

I tried to follow that, but it throwed 500 server error.

<%@page pageEncoding="UTF-8" contentType="text/html; charset=UTF-8"
%><%@include file="/apps/xyz/foundation/global.jsp"%>
<% XSSAPI myXssAPI = xssAPI.getRequestSpecificAPI(request);%>

<c:choose>
    <c:when test="${modelCategory.selected}">
        <a href="<%= myXssAPI.getValidHref("?selectedCategory=${modelCategory.categoryNameEncoded}" title="${modelCategory.dto.categoryName}")%"><b>${modelCategory.categoryText}</b></a>
    </c:when>
    <c:otherwise>
        <a href="<%= myXssAPI.getValidHref("?selectedCategory=${modelCategory.categoryNameEncoded}" title="${modelCategory.dto.categoryName}")%">${modelCategory.categoryText}</a>
    </c:otherwise>
</c:choose>

Here an example from :

You can just use xssAPI in your components:/apps/geometrixx-outdoors/components/page/head.jsp

    <title><%= xssAPI.encodeForHTML(title) %></title>