Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

XSS Security Concern

sutty1000
Level 2
Level 2

We have a concern that a malicious author could enter data that would expose the site to a XSS attack. Is there a way to sanitise author data inputted via dialogs before it is persisted in CRX? We are not rendering out HTML from AEM via Sightly but instead are using Sling Models and a custom Sling servlet to build a JSON view of the data in CRX that the React.js frontend then uses to render the page. Therefore we do not get any of the protection that Sightly would normally afford us as we simply read what is in CRX and output this. So if an author has entered a nasty string via a text field on the dialog for a component then we will end up outputting this in our JSON.

2 Replies
smacdonald2008
Level 10
Level 10

As you are not using HTL or AEM JQuery, which has token for XSS, not sure what you can do. You can look at trying to implement some sort of blacklist which would specify locations that would not be allowed. So if an author references a prohibited area, the request should be blocked. This is a custom featutre as AEM does not support ootb.

Peter_Puzanovs
Community Advisor
Community Advisor

@Sutty, have you considered restricting author access, so that no content author could login to AEM(this would fix your problem straight away!)?

Alternatively, you could try to use https://docs.adobe.com/content/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html with https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

But, in most cases your user/content author would win(unless you really, restrict your content author functions to bare minimum and aggressively parse all request data).

Regards,

Peter