Enabling cross-site scripting protection
When enabled, cross-site scripting protection rejects any user requests that contain attributes (parameters) or strings that are designated as not allowable. You can also exclude commands from cross-site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings. Cross-site scripting protection is enabled by default.
About this task
- Although this feature would effectively reject malicious requests from executing, all JSP files
must follow the JSTL best
practices. That is, use the <c:out> tag when accessing any URL
parameters or attributes. This JSTL tag by default escapes the following five special XML characters
to prevent them from being used as part of a malicious string:
- <
- >
- &
- '
- "
- In addition to the recommendations on using JSTL to escape input on JSP files, you might need to take additional steps to sanitize input on JSP files, depending on how your implementation is coded. You must follow the OWASP XSS guidelines for additional protection documentation.
- Cross-Site scripting protection is enhanced to use regular expressions which are not case-sensitive. The regular expression syntax is based on the standard used by Java. For the regular expression syntax, see Sun's Class Pattern Java API documentation.
Cross-site scripting protection can be disabled at the Web module level. For example, you can explicitly disable the cross-site scripting check box in WebSphere Commerce Accelerator, while enabling it in stores. Only the Stores Web Module have the Cross Site Scripting Protection feature enabled by default.
<Module contextPath="/webapp/wcs/tools" fileServletEnabled="false"
name="CommerceAccelerator" urlMappingPath="/servlet" webAlias="/wcs">
<InitParameters adapters="BrowserAdapter"
contextSetName="Authoring" />
<URLRedirectFilter enable="true" />
<XSiteScriptingProtection enable="false" />
</Module>
krypto
URL parameter or the WC_AUTHENTICATION cookie, the following Base64
encoded non-alphanumeric characters are used in these ciphers; '+', '/', '=', and the line feed
character ('%0A' URL encoded).Alternately, you can block requests in WebSphere Commerce Accelerator on a per command basis. You can determine all commands in WebSphere Commerce Accelerator open this file: WC_install/xml/policies/xml/defaultAccessControlPolicies.xml see all commands that can be accessed by the Seller role. The Seller role is WebSphere Commerce Accelerator superuser. Commands that can be accessed by the Seller role are defined in the "SellersCmdResourceGroup".