63 lines
4.6 KiB
HTML
63 lines
4.6 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Cross-site scripting" />
|
|
<meta name="abstract" content="WebSphere Portal enables Cross-site scripting (CSS) security protection by default. With CSS security protection enabled, the characters ">" (greater than) and "<" (less than) in form input are changed to the character entities "&gt;" and "&lt;". This is done to minimize the security risk of malicious input which could disrupt portal content." />
|
|
<meta name="description" content="WebSphere Portal enables Cross-site scripting (CSS) security protection by default. With CSS security protection enabled, the characters ">" (greater than) and "<" (less than) in form input are changed to the character entities "&gt;" and "&lt;". This is done to minimize the security risk of malicious input which could disrupt portal content." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzammportletconcept.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzammpfileconsiderations.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzammdatabaseconsiderations.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2003, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2003, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzammcrossscripting" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Cross-site scripting</title>
|
|
</head>
|
|
<body id="rzammcrossscripting"><a name="rzammcrossscripting"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Cross-site scripting</h1>
|
|
<div><p>WebSphere<sup>®</sup> Portal
|
|
enables Cross-site scripting (CSS) security protection by default. With CSS
|
|
security protection enabled, the characters ">" (greater than) and "<"
|
|
(less than) in form input are changed to the character entities "&gt;"
|
|
and "&lt;". This is done to minimize the security risk of malicious input
|
|
which could disrupt portal content.</p>
|
|
<p>Having CSS security protection enabled can cause problems with iSeries™ Access
|
|
portlets which rely on form input to retrieve information from the user. For
|
|
example, the iSeries Dynamic
|
|
SQL portlet uses a form to retrieve a SQL statement to run. Any ">" or "<"
|
|
characters in the statement are changed to "&gt;" and "&lt;".
|
|
When the modified statement is run, it fails with this message: <tt class="msgph">[SQL0104]
|
|
Token & was not valid. Valid tokens: < > = <> <= ...</tt> </p>
|
|
<p>WebSphere Portal
|
|
provides a configuration option to disable CSS security protection. Disabling
|
|
this protection avoids the problems associated with modifying form input;
|
|
however, the security implications associated with disabling this support
|
|
need to be considered. See the Troubleshooting section of the WebSphere Portal
|
|
documentation for more information.</p>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzammportletconcept.htm" title="Learn about portlets, cooperative portlets, and issues pertaining to WebSphere Portal's Cross Site Scripting (CSS) security protection configuration.">Portal concepts</a></div>
|
|
</div>
|
|
<div class="relref"><strong>Related reference</strong><br />
|
|
<div><a href="rzammpfileconsiderations.htm" title="The following are considerations for files.">File considerations</a></div>
|
|
<div><a href="rzammdatabaseconsiderations.htm" title="The following considerations apply to using the iSeries Access for Web database functions in a Web application server environment.">Database considerations</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |