Vista combinada Visión Plana Vista de árbol
Discusiones [ Anterior | Siguiente ]
toggle
Cee Paxton
XSS protection in Liferay 6.1 GA1
20 de enero de 2013 10:21
Respuesta

Cee Paxton

Ranking: New Member

Mensajes: 3

Fecha de incorporación: 20 de enero de 2013

Mensajes recientes

In prior version of Liferay, XSS protection was enabled by setting the following entry in the portal-ext.properties:

xss.allow=false

In 6.1, it looks like this has been removed as a overriden property in portal-ext. How is it toggled on and off in 6.1? Is it on by default?
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
20 de enero de 2013 13:07
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7990

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

I think you'll right. The last comment in the following issue clearly states it has been removed:

http://issues.liferay.com/browse/LPS-13246
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
20 de enero de 2013 13:12
Respuesta

Cee Paxton

Ranking: New Member

Mensajes: 3

Fecha de incorporación: 20 de enero de 2013

Mensajes recientes

Even if that particular property has been removed., do you happen to know how to turn XSS on in 6.1?

I assume that they only removed the property and not XSS protection all together.
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
20 de enero de 2013 13:53
Respuesta

Jelmer Kuperus

Ranking: Liferay Legend

Mensajes: 1190

Fecha de incorporación: 10 de marzo de 2010

Mensajes recientes

why would you want that ?

that property might just as well have been called

hackme=true
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
20 de enero de 2013 14:09
Respuesta

Cee Paxton

Ranking: New Member

Mensajes: 3

Fecha de incorporación: 20 de enero de 2013

Mensajes recientes

The question is

It doesn't appear to be on by default. How is it turned on in 6.1z
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
20 de enero de 2013 23:08
Respuesta

Jelmer Kuperus

Ranking: Liferay Legend

Mensajes: 1190

Fecha de incorporación: 10 de marzo de 2010

Mensajes recientes

You don't because the very notion of having such a property is retarded

Now why do you think you need to enable this property.
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
21 de enero de 2013 3:22
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7990

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

As is written in the issue, XSS protection should be enable by default. If it's not, can you provide us with a test case?
Also, there have been some security patches in 6.1.0GA1. Please check if XSS protection is enabled in liferay 6.1.1 GA2.