Foros de discusión

XSS protection in Liferay 6.1 GA1

Cee Paxton, modificado hace 11 años.

XSS protection in Liferay 6.1 GA1

New Member Mensajes: 3 Fecha de incorporación: 20/01/13 Mensajes recientes
In prior version of Liferay, XSS protection was enabled by setting the following entry in the portal-ext.properties:

xss.allow=false

In 6.1, it looks like this has been removed as a overriden property in portal-ext. How is it toggled on and off in 6.1? Is it on by default?
thumbnail
Hitoshi Ozawa, modificado hace 11 años.

RE: XSS protection in Liferay 6.1 GA1

Liferay Legend Mensajes: 7942 Fecha de incorporación: 24/03/10 Mensajes recientes
I think you'll right. The last comment in the following issue clearly states it has been removed:

http://issues.liferay.com/browse/LPS-13246
Cee Paxton, modificado hace 11 años.

RE: XSS protection in Liferay 6.1 GA1

New Member Mensajes: 3 Fecha de incorporación: 20/01/13 Mensajes recientes
Even if that particular property has been removed., do you happen to know how to turn XSS on in 6.1?

I assume that they only removed the property and not XSS protection all together.
thumbnail
jelmer kuperus, modificado hace 11 años.

RE: XSS protection in Liferay 6.1 GA1

Liferay Legend Mensajes: 1191 Fecha de incorporación: 10/03/10 Mensajes recientes
why would you want that ?

that property might just as well have been called

hackme=true
Cee Paxton, modificado hace 11 años.

RE: XSS protection in Liferay 6.1 GA1

New Member Mensajes: 3 Fecha de incorporación: 20/01/13 Mensajes recientes
The question is

It doesn't appear to be on by default. How is it turned on in 6.1z
thumbnail
jelmer kuperus, modificado hace 11 años.

RE: XSS protection in Liferay 6.1 GA1

Liferay Legend Mensajes: 1191 Fecha de incorporación: 10/03/10 Mensajes recientes
You don't because the very notion of having such a property is retarded

Now why do you think you need to enable this property.
thumbnail
Hitoshi Ozawa, modificado hace 11 años.

RE: XSS protection in Liferay 6.1 GA1

Liferay Legend Mensajes: 7942 Fecha de incorporación: 24/03/10 Mensajes recientes
As is written in the issue, XSS protection should be enable by default. If it's not, can you provide us with a test case?
Also, there have been some security patches in 6.1.0GA1. Please check if XSS protection is enabled in liferay 6.1.1 GA2.