Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Cee Paxton
XSS protection in Liferay 6.1 GA1
January 20, 2013 10:21 AM
Answer

Cee Paxton

Rank: New Member

Posts: 3

Join Date: January 20, 2013

Recent Posts

In prior version of Liferay, XSS protection was enabled by setting the following entry in the portal-ext.properties:

xss.allow=false

In 6.1, it looks like this has been removed as a overriden property in portal-ext. How is it toggled on and off in 6.1? Is it on by default?
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
January 20, 2013 1:07 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7954

Join Date: March 23, 2010

Recent Posts

I think you'll right. The last comment in the following issue clearly states it has been removed:

http://issues.liferay.com/browse/LPS-13246
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
January 20, 2013 1:12 PM
Answer

Cee Paxton

Rank: New Member

Posts: 3

Join Date: January 20, 2013

Recent Posts

Even if that particular property has been removed., do you happen to know how to turn XSS on in 6.1?

I assume that they only removed the property and not XSS protection all together.
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
January 20, 2013 1:53 PM
Answer

Jelmer Kuperus

Rank: Liferay Legend

Posts: 1192

Join Date: March 10, 2010

Recent Posts

why would you want that ?

that property might just as well have been called

hackme=true
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
January 20, 2013 2:09 PM
Answer

Cee Paxton

Rank: New Member

Posts: 3

Join Date: January 20, 2013

Recent Posts

The question is

It doesn't appear to be on by default. How is it turned on in 6.1z
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
January 20, 2013 11:08 PM
Answer

Jelmer Kuperus

Rank: Liferay Legend

Posts: 1192

Join Date: March 10, 2010

Recent Posts

You don't because the very notion of having such a property is retarded

Now why do you think you need to enable this property.
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
January 21, 2013 3:22 AM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7954

Join Date: March 23, 2010

Recent Posts

As is written in the issue, XSS protection should be enable by default. If it's not, can you provide us with a test case?
Also, there have been some security patches in 6.1.0GA1. Please check if XSS protection is enabled in liferay 6.1.1 GA2.