Foren

Home » Liferay Portal » English » 3. Development

Kombinierte Ansicht Flache Ansicht Baumansicht
Threads [ Zurück | Nächste ]
toggle
Cee Paxton
XSS protection in Liferay 6.1 GA1
20. Januar 2013 10:21
Antwort

Cee Paxton

Rang: New Member

Nachrichten: 3

Eintrittsdatum: 20. Januar 2013

Neue Beiträge

In prior version of Liferay, XSS protection was enabled by setting the following entry in the portal-ext.properties:

xss.allow=false

In 6.1, it looks like this has been removed as a overriden property in portal-ext. How is it toggled on and off in 6.1? Is it on by default?
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
20. Januar 2013 13:07
Antwort

Hitoshi Ozawa

Rang: Liferay Legend

Nachrichten: 7954

Eintrittsdatum: 23. März 2010

Neue Beiträge

I think you'll right. The last comment in the following issue clearly states it has been removed:

http://issues.liferay.com/browse/LPS-13246
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
20. Januar 2013 13:12
Antwort

Cee Paxton

Rang: New Member

Nachrichten: 3

Eintrittsdatum: 20. Januar 2013

Neue Beiträge

Even if that particular property has been removed., do you happen to know how to turn XSS on in 6.1?

I assume that they only removed the property and not XSS protection all together.
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
20. Januar 2013 13:53
Antwort

Jelmer Kuperus

Rang: Liferay Legend

Nachrichten: 1192

Eintrittsdatum: 10. März 2010

Neue Beiträge

why would you want that ?

that property might just as well have been called

hackme=true
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
20. Januar 2013 14:09
Antwort

Cee Paxton

Rang: New Member

Nachrichten: 3

Eintrittsdatum: 20. Januar 2013

Neue Beiträge

The question is

It doesn't appear to be on by default. How is it turned on in 6.1z
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
20. Januar 2013 23:08
Antwort

Jelmer Kuperus

Rang: Liferay Legend

Nachrichten: 1192

Eintrittsdatum: 10. März 2010

Neue Beiträge

You don't because the very notion of having such a property is retarded

Now why do you think you need to enable this property.
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
21. Januar 2013 03:22
Antwort

Hitoshi Ozawa

Rang: Liferay Legend

Nachrichten: 7954

Eintrittsdatum: 23. März 2010

Neue Beiträge

As is written in the issue, XSS protection should be enable by default. If it's not, can you provide us with a test case?
Also, there have been some security patches in 6.1.0GA1. Please check if XSS protection is enabled in liferay 6.1.1 GA2.