3 Replies Latest reply on Jun 11, 2012 3:15 AM by Davide G

    XSS filtering

    katrienj Level 1

      We recently had our website security tested and one of the issues was that it was vulnerable for XSS attacks. I did some reading on the web about this and came across the package XSSFilter as part of the CQ installation. Can anyone give some more information on how I should use this package?


      Also, is standard XSS filtering not automatically applied in CQ? I read the following paragraph about it on Day's website and I find it a bit dubious:


      "CQ applies the principle of filtering all user-supplied content upon output. Preventing XSS is given the highest priority during both development and testing."


      If this isn't applied by default can we expect this to come out in a later release of CQ?


      Many thanks!

        • 1. Re: XSS filtering
          Sham HC Level 7

          Basically the XSS service is used for validating and/or encoding individual blocks of content (href etc...).   For easily facilatation it is exposed through cq:defineObjects.    Ex:- Suppose you have allowed in your blog posts for user to posts some level of html code. So you could use in your components like


          <%= xssAPI.filterHTML("  Blog input ") %>


          The api details at http://dev.day.com/docs/en/cq/current/javadoc/com/adobe/granite/xss/XSSAPI.html


          By default it is applied. Can you file daycare with the cq version, xss report, list of hf and logs during test execution for a review.

          1 person found this helpful
          • 2. Re: XSS filtering
            katrienj Level 1

            Thanks for your reply.

            So if I create a form using CQ OOB functionality than it should have applied XSS filtering by default? I don't need to do anything to enable it? Perhaps we're missing a setting in our CQ environment somewhere??


            Many thanks!

            1 person found this helpful
            • 3. Re: XSS filtering
              Davide G Adobe Employee

              If you develop your own components you'll have to manually apply the XSS filtering. Instead if you're using an OOTB component of CQ it should be already included.


              BTW errors are human and pentest are always a good suggestion.