Bypass the XSS (Cross Site Scripting) Checker for selected users/groups in Teaming

  • 7006194
  • 03-Jun-2010
  • 27-Apr-2012

Environment


Novell Teaming 2.1
Novell Vibe OnPrem 3

Situation

Novell Teaming implements a XSS (Cross Site Scripting) checker which prevents a user from injecting client-side scripts into description areas of folders and entries. Common examples of this include HTML that contains JavaScript, forms, frames and objects. However, sometimes an administrator may want to add content which is blocked by the XSS checker such as an ftp link.

Resolution

Novell Teaming allows you to add one or more trusted users and/or groups to be able to bypass the XSS-checker. This essentially means that they can enter everything that is otherwise blocked by the XSS-checker in titles, descriptions, text-areas, etc. for workspaces, folders and entries.

A server administrator can follow these simple steps to add a user and a group to the trusted users list:
  1. Locate the file 'zone-ext.cfg.xml' in your Teaming installation’s \webapps\ssf\WEB-INF\classes\config\ folder.
  2. Add and save the following XML node within the <zoneConfiguration> </zoneConfiguration> node:
    <zone name="liferay.com">
    <!--All new users in this zone will be assigned group membership in these groups.-->
       <defaultGroupsOnAcctCreation>
          <!--Example format.
          <group name="registered_user" />-->
       </defaultGroupsOnAcctCreation>
       <xssConfiguration>
          <trustedUsers>
             <user name="alexander"/>
          </trustedUsers>
          <trustedGroups>
             <group name="admins"/>
          </trustedGroups>
       </xssConfiguration>
    </zone>
  3. The above setting indicates that you want to allow the user "alexander" and all members of the group "admins" to bypass the XSS checker in the default Teaming zone (liferay.com).
  4. Locate the file 'ssf-ext.properties' in your Teaming installation’s \webapps\ssf\WEB-INF\classes\config\ folder and add the following lines towards the end:
    xss.check.enable=true
    xss.check.mode.default=trusted.strip
  5. Restart your Teaming service (as per instructions for your Server OS) for the changes to take effect.
After the above changes have been made and the Teaming server restarted, login to the Teaming site as user 'alexander' or any member of the group 'admins'. Create a new entry and try adding a sample ftp link to the entry's description. You will notice that the FTP link was added as-is without any checks performed by the XSS checker. If you try the same with a non-trusted user, you will notice that the XSS checker will alter the ftp link upon submission.

It is recommended that you consider the risks of bypassing XSS checker before adding users to the trusted list.