Protecting against malicious active content
The active content filter prevents users from embedding malicious content in Communities input fields.
Before you begin
To edit configuration files, you must use the IBM® WebSphere® Application Server wsadmin client. See Starting the wsadmin client for details.
About this task
Communities provides
a filter that prevents users from
using rich text descriptions with malicious scripts that are started
when other users visit Communities. You can disable this filter to
provide richer options for content in any Communities text input field.
Note: Disabling
this filter introduces vulnerability to cross-site scripting (XSS)
and other types of malicious attack. See Securing applications
from malicious attack for additional information.
Procedure
To configure the active content filter, complete
the
following steps.
- Start the wsadmin client from the following
directory of the system on which you installed the Deployment Manager:
where app_server_root is the WebSphere® Application Server installation directory and dm_profile_root is the Deployment Manager profile directory, typically dmgr01.app_server_root\profiles\dm_profile_root\bin
You must start the client from this directory or subsequent commands that you enter do not execute correctly.
- Start the Communities Jython script interpreter.
- Optional: To check the current
setting of the
active content filter property, use the following command:
CommunitiesConfigService.showConfig()
Look for the following property in the output that displays:activeContentFilter.enabled = true
- If you want to change the value of the active content
filter
property, use the following command:
CommunitiesConfigService.updateConfig("property", "value")
where- property is one of the editable Communities configuration properties.
- value is the new value with which you want to set that property.
The following table displays information regarding the active content filter property and the type of data that you can enter for it.
Table 1. The active content filter property Property Description activeContentFilter.enabled When enabled, this property prevents the addition of active content (JavaScript™, for example) to any Community text input field. This property takes a Boolean value: true or false.
For example:CommunitiesConfigService.updateConfig("activeContentFilter.enabled", "false")
- After making changes, you must check the configuration files back in, and you must do so during the same wsadmin session in which you checked them out for the changes to take effect. See Applying property changes in Communities for information about how to save and apply your changes.