Configuration Manager - Commerce - Cross Site Scripting Protection

Note: To use the cross site scripting protection security feature for a store, you need to define the ProhibitedAttrsErrorView, ProhibitedCharacterErrorView, and ProhibCharEncodingErrorView views for the store.

The Cross Site Scripting Protection node of the Configuration Manager enables or disables cross site scripting protection for your instance. When enabled, this feature rejects any user requests that contain attributes or strings that are designated as not allowable. You can specify the disallowed attributes and strings in this node of the Configuration Manager. You can also exclude commands from cross site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings. Cross site scripting protection is disabled by default.

Warning: Cross site scripting protection is a restrictive feature in that it will restrict the execution of the commands based on the configuration. The feature does not check what attributes or strings have been defined as prohibited, so when you configure it, make sure that prohibited attributes are not those used by the commands. Also make sure the prohibited strings are not values that are usually passed to the commands. Use extreme caution when configuring this feature.

General tab
Use the General tab to activate the cross site scripting protection feature by clicking Enable. Configure the feature by completing the following tables:
Prohibited Attributes table
Lists attributes that you wish to disallow for WebSphere Commerce commands. To add attributes that you wish to disallow for WebSphere Commerce commands, right-click on the Prohibited Attributes table and select Add row. Type the attribute that you wish to disallow. You can only specify one attribute per row. To remove attributes from the Prohibited Attributes table, highlight and right-click the line containing the attribute in the table and select Delete row.
Prohibited Characters table
Lists character strings that you wish to disallow for WebSphere Commerce commands. To add strings that you wish to disallow for WebSphere Commerce commands, right-click on the Prohibited Characters table and select Add row. Add the string that you wish to disallow. You can only specify one string per row. To remove characters from the Prohibited Characters table, highlight and right-click the line containing the character in the Prohibited Characters table and select Delete row.

Note: The following strings are specified by default in the prohibited characters fields. These strings are most commonly used as scripting tags in malicious cross site scripting attacks:

"<SCRIPT" 
"&lt;SCRIPT" 
"<%" and "&lt;%"
Advanced tab
Use the Advanced tab to exclude WebSphere Commerce commands from cross site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings.
Command List
Lists the WebSphere Commerce commands. Select the commands to exclude from this list. Type in a list of attributes, separated by commas, for which prohibited characters are allowed in the List of Excepted Attributes window and click Add. To remove a command along with its attributes, select the command from the List of Excepted Commands window and click Remove. You can also remove specific attributes from a command by selecting the attribute and clicking Remove.

To apply your changes to Configuration Manager, click Apply. Upon successfully updating the configuration for your instance, you will receive a message indicating a successful update. From the WebSphere Application Server Administration Console, stop then restart the WebSphere Commerce Server instance.

Notes:

Example: Consider the following examples:

For more information, see the "Authentication" topic in the WebSphere Commerce Information Center.

Feedback