XSS Security Concern

Avatar

Avatar

sutty1000

Avatar

sutty1000

sutty1000

13-01-2017

We have a concern that a malicious author could enter data that would expose the site to a XSS attack. Is there a way to sanitise author data inputted via dialogs before it is persisted in CRX? We are not rendering out HTML from AEM via Sightly but instead are using Sling Models and a custom Sling servlet to build a JSON view of the data in CRX that the React.js frontend then uses to render the page. Therefore we do not get any of the protection that Sightly would normally afford us as we simply read what is in CRX and output this. So if an author has entered a nasty string via a text field on the dialog for a component then we will end up outputting this in our JSON.

Replies

Avatar

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Reply

2.3K

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Reply

2.3K
smacdonald2008

13-01-2017

As you are not using HTL or AEM JQuery, which has token for XSS, not sure what you can do. You can look at trying to implement some sort of blacklist which would specify locations that would not be allowed. So if an author references a prohibited area, the request should be blocked. This is a custom featutre as AEM does not support ootb.

Avatar

Avatar

PuzanovsP

MVP

Avatar

PuzanovsP

MVP

PuzanovsP
MVP

13-01-2017

@Sutty, have you considered restricting author access, so that no content author could login to AEM(this would fix your problem straight away!)?

Alternatively, you could try to use https://docs.adobe.com/content/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html with https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

But, in most cases your user/content author would win(unless you really, restrict your content author functions to bare minimum and aggressively parse all request data).

Regards,

Peter