Table of Contents maxLevel 3
Cross Site Scripting (XSS) attacks use web applications to inject malicious scripts or a malicious payload, generally in the form of a client side script, into trusted legitimate web applications. XSS Attackers can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information with respect to web applications that are maintained by the web browser on behalf of the user.
You can use the following approach to mitigate XSS attacks.
The XSS Valve acts as a filter to differentiate between the malicious scripts from the legitimate scripts by carrying out a specific validation on the URL patterns.
<PRODUCT_HOME>/repository/conf/carbon.xml file and add the following code snippet under the
<XSSPreventionConfig> <Enabled>true</Enabled> <Rule>allow</Rule> <Patterns> <Pattern>carbon/resources/update_text_content_ajaxprocessor.jsp</Pattern> <Pattern>carbon/resources/add_text_resource_ajaxprocessor.jsp</Pattern> </Patterns> </XSSPreventionConfig>
Add the following configuration within the
<Hosts> element of the
Restart the product server.