Overview
You would like to know what measures can be taken to prevent XSS (Cross-Site Scripting attacks) for a custom plugin.
Information
Custom developed plugins are out of scope for the Jive Support team. You will need to reach out to the Professional Services team for further information on this topic. Kindly reach out to your Account Executive for more information on Professional Service engagement.
In the interim, you can find further instructions from the security team. Please note that the recommendations below are only for hardening the environment and making it more difficult for XSS attacks to be effective. Performing these alone with not ensure complete protection from XSS attacks.
On the Jive system properties, you can modify default values:
html.widget.strip.javascript = true
-> (default false) Setting to true will strip all JavaScript from every HTML Text Widget (and then render inline) regardless of their entitlements.jive.htmlwidget.cleansejavascript = true
-> (default true) Setting to false will stop Jive from stripping out JavaScript in HTML Widgets for non-system administrators.html.widget.safemode.enabled = true
-> (default true) Setting to false will let HTML Text Widget's that have JavaScript be rendered inline as opposed to the default iFrame.
You will need to apply the next changes to the tile addon files:
<jive_folder>/var/www/resources/add-ons/185191ef-772a-4541-8b5a-411108dda0fa/52416ce682/tiles/generic-html/javascripts/script-cleaner.js
The changes to be made are:
- Add
svg
toDOM_ELEMENTS
- Add
onend
toDOM_LEVEL0_EVENTS
Please note that we follow OWASP security best practices. You can find more information below:
Comments
0 comments
Please sign in to leave a comment.