Disabling cross-site scripting protection for the Management Center

When enabled, cross-site scripting protection rejects any user requests that contain attributes (parameters) or strings that are designated as not allowable. You can also exclude commands from cross-site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings. Cross-site scripting protection is enabled by default, but you can disable it to match your security needs.

Procedure

  1. Open the following file:
    • LOBTools.war/WEB-INF/web.xml
    • WebSphere Commerce DeveloperLOBTools/WebContent/WEB-INF/web.xml
    See Management Center Web application file locations for more information.
  2. Search for and remove the following snippet:
    
    <param-name>com.ibm.commerce.security.crosssitescriptingprovider</param-name> 
    <param-value>com.ibm.commerce.foundation.internal.client.security.impl. 
    ClassicCommerceCrossSiteScriptingProviderImpl</param-value>
    
  3. Save your changes and close the file.
  4. Deploy your changes.