xss protection in AEM | Community
Skip to main content
J
jakej40603950
Level 5
September 29, 2019
Solved

xss protection in AEM

  • September 29, 2019
  • 7 replies
  • 11447 views

Is AEM completely xss secure. I know using HTL makes sure that you're protected from xss. But what about ajax calls? Responses returned from Servlets?

In other words, are there areas or flows where it's up to the site developer to implement xss protection mechanisms?

Thanks.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by joerghoh

When you implement servlets, you have to ensure that your code emits safe output (you can use the slingXSSApi [1] for this). HTL scripts are safe unless you explicitly use the unsafe context.

[1] XSSAPI (Apache Sling 11 API)

7 replies

H
Adobe Employee
Hamid1350Adobe Employee
Adobe Employee
September 29, 2019

Please read relevant documentation: Security

J
jakej40603950Author
Level 5
September 29, 2019

Thanks Hamid. The documentation doesn't answer question raised in the original post. i.e. If a servlet is expected to return HTML content, should we (the site developer) be using AntiSamy API to filter out problematic content? Or is that already addressed somewhere in AEM request / response chain?

U
Adobe Employee
user05162Adobe Employee
Adobe Employee
September 30, 2019

I would request you to check OOTB servlets and write the custom code accordingly. As long as you are using OOTB API's , the code will be XSS protected.

Also, If you go to [1], you can see all the XSS rules defined . If you are using anything custom, you can overlay this file under /apps and make the neccassary changes.

[1] /libs/cq/xssprotection/config.xml

    DPrakashRaj
    Community Advisor
    DPrakashRajCommunity Advisor
    Community Advisor
    September 30, 2019

    you can also use XSSAPI class to implement your own custom rules for security. For Details

    XSSAPI ("The Adobe AEM Quickstart and Web Application.")

    arunpatidar
    Community Advisor
    arunpatidarCommunity Advisor
    Community Advisor
    September 30, 2019

    HTL is XSS protected until you don't use an unsafe context.

    If you are rendering DOM based on form parameter then you have to be careful.

    Make sure you encode all the request parameter values before use in the form

    There are some practical example

    5 Practical Scenarios for XSS Attacks | Pentest-Tools.com Blog

    Arun Patidar
    joerghoh
    Adobe Employee
    joerghohAdobe EmployeeAccepted solution
    Adobe Employee
    October 1, 2019

    When you implement servlets, you have to ensure that your code emits safe output (you can use the slingXSSApi [1] for this). HTL scripts are safe unless you explicitly use the unsafe context.

    [1] XSSAPI (Apache Sling 11 API)

    J
    jakej40603950Author
    Level 5
    October 1, 2019

    Thanks. This is what I was looking for thank you

    Terms & ConditionsAccessibility statement

    Loading footer...