Cross-site scripting (XSS) is a client-side computer attack that is aimed at Web applications. Because XSS attacks can pose a major security threat, Novell Teaming contains a built-in security filter that protects against XSS vulnerabilities.
The following sections describe the types of content that the security filter blocks from the Teaming site, where exactly it blocks it from entering, and how you can enable specific users to bypass the security filter.
By default, the XSS security filter in Teaming is very strict, and does not allow users to add certain types of content. Following are examples of content that is not permitted:
HTML that contains JavaScript
Forms
Frames
Objects
Applets
The type of content discussed in Section 13.4.1, Understanding What Content Is Not Permitted is filtered by Teaming in the following areas:
Text and HTML fields in entries and folders
Uploaded HTML files
Specific users might have need of adding to the Teaming site the types of content described in Section 13.4.1, Understanding What Content Is Not Permitted. If you trust these users, you can enable them to bypass the XSS security filter.
Change to the following directory:
Open the zone-ext.cfg.xml file in a text editor.
Add the following information to the xml file, inside the <zoneConfiguration> tags:
<zone name="kablink"> <xssConfiguration> <trustedUsers> <user name="jchavez"/> </trustedUsers> </xssConfiguration> </zone>
The user name value should contain the user ID for the user who you want to grant rights to upload HTML files to the Teaming site.
To enable multiple users to add HTML content to the Teaming site, use multiple <user name> elements. For example:
<user name="jchavez"/> <user name="ahall"/> <user name="cjones"/>
Stop and restart Teaming.