Environment
Novell Teaming 2.1
Novell Vibe OnPrem 3
Situation
Novell Teaming implements a XSS (Cross Site Scripting) checker which prevents a user from injecting client-side scripts into description areas of folders and entries. Common examples of this include HTML that contains JavaScript, forms, frames and objects. However, sometimes an administrator may want to add content which is blocked by the XSS checker such as an ftp link.
Resolution
Novell Teaming allows you to add one or more trusted users and/or groups to be able to bypass the XSS-checker. This essentially means that they can enter everything that is otherwise blocked by the XSS-checker in titles, descriptions, text-areas, etc. for workspaces, folders and entries.
A server administrator can follow these simple steps to add a user and a group to the trusted users list:
It is recommended that you consider the risks of bypassing XSS checker before adding users to the trusted list.
A server administrator can follow these simple steps to add a user and a group to the trusted users list:
- Locate the file 'zone-ext.cfg.xml' in your Teaming installation’s \webapps\ssf\WEB-INF\classes\config\ folder.
- Add and save the following XML node within the <zoneConfiguration> </zoneConfiguration> node:
<zone name="liferay.com">
<!--All new users in this zone will be assigned group membership in these groups.-->
<defaultGroupsOnAcctCreation>
<!--Example format.
<group name="registered_user" />-->
</defaultGroupsOnAcctCreation>
<xssConfiguration>
<trustedUsers>
<user name="alexander"/>
</trustedUsers>
<trustedGroups>
<group name="admins"/>
</trustedGroups>
</xssConfiguration>
</zone> - The above setting indicates that you want to allow the user "alexander" and all members of the group "admins" to bypass the XSS checker in the default Teaming zone (liferay.com).
- Locate the file 'ssf-ext.properties' in your Teaming installation’s \webapps\ssf\WEB-INF\classes\config\ folder and add the following lines towards the end:
xss.check.enable=true
xss.check.mode.default=trusted.strip - Restart your Teaming service (as per instructions for your Server OS) for the changes to take effect.
It is recommended that you consider the risks of bypassing XSS checker before adding users to the trusted list.