12.5 Enabling Users to Add JavaScript and Other Restricted Content by Modifying Cross-Site Scripting Settings

Cross-site scripting (XSS) is a client-side computer attack that is aimed at Web applications. Because XSS attacks can pose a major security threat, Kablink Vibe contains a built-in security filter that protects against XSS vulnerabilities.

The following sections describe the types of content that the security filter blocks from the Vibe site, where exactly it blocks it from entering, and how you can enable specific users to bypass the security filter.

12.5.1 Understanding What Content Is Not Permitted

By default, the XSS security filter in Vibe is very strict, and does not allow users to add certain types of content. For example, the following content is not permitted:

  • HTML that contains JavaScript

  • Forms

  • Frames

  • Objects

  • Applets

12.5.2 Understanding Where the Content Is Not Permitted

The type of content discussed in Section 12.5.1, Understanding What Content Is Not Permitted is filtered by Vibe in the following areas:

  • Text and HTML fields in entries and folders

  • Uploaded HTML files

12.5.3 Listing All XSS Threats in Your System

Vibe enables you to run a XSS report that lists XSS threats that are contained in your Vibe system. For more information, see Section 20.1.8, XSS Report.

12.5.4 Enabling Users to Bypass the XSS Security Filter

Specific users might need to add some of the content described in Section 12.5.1, Understanding What Content Is Not Permitted. If you trust these users, you can enable them to bypass the XSS security filter.

IMPORTANT:We do not recommend that you turn off the XSS security filter for the entire site. For more information about keeping your Vibe site secure from XSS, see Section 26.3.9, Securing the Vibe Site from XSS.

  1. Change to the following directory:

    Linux:

    		 
    /opt/novell/teaming/apache-tomcat/
                           webapps/ssf/WEB-INF/classes/config

    Windows:

    		 
    c:\Program Files\Novell\Teaming\apache-tomcat\
                           webapps\ssf\WEB-INF\classes\config

  2. Open the zone-ext.cfg.xml file in a text editor.

  3. Add the following information to the xml file, inside the <zoneConfiguration> tags:

    <zone name="kablink">
 <xssConfiguration>
  <trustedUsers>
   <user name="jchavez"/>
  </trustedUsers>
 </xssConfiguration>
</zone>

    The user name value should contain the user ID for the user you want to be able to upload HTML files to the Vibe site.

    To enable multiple users to add HTML content to the Vibe site, use multiple <user name> elements. For example:

    <user name="jchavez"/>
<user name="ahall"/>
<user name="cjones"/>

  4. Stop and restart Vibe.