XSS (cross-site scripting) vulnerability | Community
Skip to main content
C
chandra_cq5
New Participant
October 16, 2015
Solved

XSS (cross-site scripting) vulnerability

  • October 16, 2015
  • 5 replies
  • 3543 views
http://www.abc.com/search-results.html?search-site=test&locale=en_US%22%3E%3Csvg+src%3DX+onload%3D%22prompt%28%27xss%27%29
 
I see a javacript alert coming up on the browser when i feed the above url due to XSS (cross-site scripting) vulnerability due to improper 
handling of provided URL parameters .please let me know how can slove this particular issue
    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by Rob_Ryan

    XSS is not something dispatcher can protect you against in general. XSS protection must be built into the code which produces the output being returned in response to requests from the users browser. E.g. in JSPs the XSSAPI (https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html) should be used to filter or encode any values being included in the output if they come from the request, the JCR, or any external data source.

    -Rob

    5 replies

    anoopo70540109
    anoopo70540109
    New Participant
    February 9, 2018

    Hi @chandra_cq5

    I am also facing the same issue, did you got any solution.? I am trying to make the changes at code level but not able to figure out how to implement XSSAPI.

    If you have done the changes please let me know.

    Feike_Visser1
    Feike_Visser1
    Employee
    October 16, 2015

    Using Sightly will automatically XSS-protect all your output

    C
    chandra_cq5Author
    New Participant
    October 16, 2015

    I am using CQ 5.6.1 without Sightly  ,do you have any links or code sinppet  as what I could add in dispatcher section that could protect from XSS ,which in general could be used to protect the  website from XSS

    R
    Rob_RyanAccepted solution
    New Participant
    October 16, 2015

    XSS is not something dispatcher can protect you against in general. XSS protection must be built into the code which produces the output being returned in response to requests from the users browser. E.g. in JSPs the XSSAPI (https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html) should be used to filter or encode any values being included in the output if they come from the request, the JCR, or any external data source.

    -Rob

      smacdonald2008
      smacdonald2008
      New Participant
      October 16, 2015

      See this AEM topic:

      https://docs.adobe.com/docs/en/cq/5-6-1/developing/developing_guidelines_bestpractices.html#Protect against Cross-Site Scripting (XSS)

      Terms & ConditionsAccessibility statement

      Loading footer...