Adobe Experience Manager Sites & More

Thanks Hamid. The documentation doesn't answer question raised in the original post. i.e. If a servlet is expected to return HTML content, should we (the site developer) be using AntiSamy API to filter out problematic content? Or is that already addressed somewhere in AEM request / response chain?

I would request you to check OOTB servlets and write the custom code accordingly. As long as you are using OOTB API's , the code will be XSS protected.

Also, If you go to [1], you can see all the XSS rules defined . If you are using anything custom, you can overlay this file under /apps and make the neccassary changes.

[1] /libs/cq/xssprotection/config.xml

you can also use XSSAPI class to implement your own custom rules for security. For Details

XSSAPI ("The Adobe AEM Quickstart and Web Application.")

HTL is XSS protected until you don't use an unsafe context.

If you are rendering DOM based on form parameter then you have to be careful.

Make sure you encode all the request parameter values before use in the form

There are some practical example

5 Practical Scenarios for XSS Attacks | Pentest-Tools.com Blog

Arun Patidar

Thanks. This is what I was looking for thank you