xss protection in AEM

Avatar

Avatar

jakej40603950

Avatar

jakej40603950

jakej40603950

29-09-2019

Is AEM completely xss secure. I know using HTL makes sure that you're protected from xss. But what about ajax calls? Responses returned from Servlets?

In other words, are there areas or flows where it's up to the site developer to implement xss protection mechanisms?

Thanks.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

Jörg_Hoh

Employee

Total Posts

3.1K

Likes

1.1K

Correct Reply

1.1K

Avatar

Jörg_Hoh

Employee

Total Posts

3.1K

Likes

1.1K

Correct Reply

1.1K
Jörg_Hoh
Employee

01-10-2019

When you implement servlets, you have to ensure that your code emits safe output (you can use the slingXSSApi [1] for this). HTL scripts are safe unless you explicitly use the unsafe context.

[1] XSSAPI (Apache Sling 11 API)

Answers (6)

Answers (6)

Avatar

Avatar

jakej40603950

Avatar

jakej40603950

jakej40603950

01-10-2019

Thanks. This is what I was looking for thank you

Avatar

Avatar

Arun_Patidar

MVP

Total Posts

3.1K

Likes

1.2K

Correct Reply

883

Avatar

Arun_Patidar

MVP

Total Posts

3.1K

Likes

1.2K

Correct Reply

883
Arun_Patidar
MVP

30-09-2019

HTL is XSS protected until you don't use an unsafe context.

If you are rendering DOM based on form parameter then you have to be careful.

Make sure you encode all the request parameter values before use in the form

There are some practical example

5 Practical Scenarios for XSS Attacks | Pentest-Tools.com Blog

Avatar

Avatar

DPrakashRaj

Avatar

DPrakashRaj

DPrakashRaj

30-09-2019

you can also use XSSAPI class to implement your own custom rules for security. For Details

XSSAPI ("The Adobe AEM Quickstart and Web Application.")

Avatar

Avatar

jbrar

Employee

Avatar

jbrar

Employee

jbrar
Employee

30-09-2019

I would request you to check OOTB servlets and write the custom code accordingly. As long as you are using OOTB API's , the code will be XSS protected.

Also, If you go to [1], you can see all the XSS rules defined . If you are using anything custom, you can overlay this file under /apps and make the neccassary changes.

[1] /libs/cq/xssprotection/config.xml

Avatar

Avatar

jakej40603950

Avatar

jakej40603950

jakej40603950

29-09-2019

Thanks Hamid. The documentation doesn't answer question raised in the original post. i.e. If a servlet is expected to return HTML content, should we (the site developer) be using AntiSamy API to filter out problematic content? Or is that already addressed somewhere in AEM request / response chain?

Avatar

Avatar

hamidk92094312

Employee

Avatar

hamidk92094312

Employee

hamidk92094312
Employee

29-09-2019

Please read relevant documentation: Security