Overview
You have noticed that some users are able to inject/insert JavaScript code that will run on the Jive site when saving changes to HTML tiles. You want to prevent those users from being able to insert this code to prevent possible cross-site scripting (XSS).
Information
By default, only users with system administration privileges are able to insert JavaScript code into HTML tiles. To ensure that non-administrator users are not able to insert code into HTML tiles, please follow these steps:
Jive Cloud
Please contact us.
Jive Hosted or On-Premise
- Log in to the Admin Console.
- Click on System, then click on System Properties in the left-side menu.
- In the Property Name textbox, paste in: jive.htmlwidget.cleansejavascript
- In the Property Value textbox, paste in: true
- Click on the Save Property button.
- Clear the Jive System Cache.
- Browse to the Permissions tab in the Admin Console.
- Click on Home Page Permissions in the left-side menu.
- Check that no users or user groups have been granted the Save JavaScript permission override.
- If there are any users or user groups that have this override:
- Click on Edit permissions next to their name,
- Uncheck the Save JavaScript option.
- Click on the Set Permissions button.
Comments
0 comments
Please sign in to leave a comment.