Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

xss protection in AEM

Avatar

Level 5
Level 5
9/29/19 1:52:22 AM

Is AEM completely xss secure. I know using HTL makes sure that you're protected from xss. But what about ajax calls? Responses returned from Servlets?

In other words, are there areas or flows where it's up to the site developer to implement xss protection mechanisms?

Thanks.

Views

9.6K

Replies

7
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/1/19 2:30:57 PM

When you implement servlets, you have to ensure that your code emits safe output (you can use the slingXSSApi [1] for this). HTL scripts are safe unless you explicitly use the unsafe context.

[1] XSSAPI (Apache Sling 11 API)

View solution in original post

Views

8.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
7 Replies

Avatar

Level 5
Level 5
9/29/19 1:19:27 PM

Thanks Hamid. The documentation doesn't answer question raised in the original post. i.e. If a servlet is expected to return HTML content, should we (the site developer) be using AntiSamy API to filter out problematic content? Or is that already addressed somewhere in AEM request / response chain?

Views

8.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
9/30/19 4:38:03 AM

I would request you to check OOTB servlets and write the custom code accordingly. As long as you are using OOTB API's , the code will be XSS protected.

Also, If you go to [1], you can see all the XSS rules defined . If you are using anything custom, you can overlay this file under /apps and make the neccassary changes.

[1] /libs/cq/xssprotection/config.xml

Views

8.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
9/30/19 10:46:24 AM

you can also use XSSAPI class to implement your own custom rules for security. For Details

XSSAPI ("The Adobe AEM Quickstart and Web Application.")

Views

8.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
9/30/19 11:56:11 AM

HTL is XSS protected until you don't use an unsafe context.

If you are rendering DOM based on form parameter then you have to be careful.

Make sure you encode all the request parameter values before use in the form

There are some practical example

5 Practical Scenarios for XSS Attacks | Pentest-Tools.com Blog



Arun Patidar

Views

8.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/1/19 2:30:57 PM

When you implement servlets, you have to ensure that your code emits safe output (you can use the slingXSSApi [1] for this). HTL scripts are safe unless you explicitly use the unsafe context.

[1] XSSAPI (Apache Sling 11 API)

Views

8.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 5
Level 5
10/1/19 3:28:05 PM

Thanks. This is what I was looking for thank you

Views

8.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
AEM 6.5.21 link invalid Solved

Views

85

Likes

0

Replies

2
How to obtain list of child components models in parent component sling model?

Views

108

Likes

0

Replies

5
Filters in AEM Collections

Views

57

Likes

0

Replies

0
Integrating mobile App testing tools with AEM

Views

57

Likes

0

Replies

1
Add type="module" to the script tag when AEM introduces JS

Views

72

Likes

0

Replies

2