SamePage introduced XSS filter in version 4.0 to make the enterprise wiki more robust and secure. So, what that means for users is HTML content containing javascript and script tags would not be allowed to save. This is prevent Cross-Site Scripting (XSS) attacks.
If a user tries to create content containing script tags, it will give a warning "
Some invalid javascript tags have been found which can corrupt the application. Please check your input and remove it to save properly." and will not allow the user to save the page.
It is possible , certain enterprise customers may find this too restrictive and unnecessary for a secure, internal instance . In that case, you can follow the steps below to turn off the XSS filtering. However, please be aware that, in doing so, the deployment would be vulnerable to XSS and XSRF attacks.
Release 4.1 and Upwards
- Go to System Administration -> System Parameters
- Search for net.etouch.filter.xss
- Set the value to false
- Click on Save.
Release 4.0
1. Navigate to $INSTALLDIR/cm/WEB-INF.
2. Open web.xml in a text editor.
3. Comment the following tag. After commenting the tag should look like the following.
<!-- filter>
<filter-name>XSSFilter</filter-name>
<display-name>XSSFilter</display-name>
<description>XSSFilter</description>
<filter-class>net.etouch.contmgmt.common.XSSFilter</filter-class>
<init-param>
<param-name>redirectTo</param-name>
<param-value>../error/invalidinputerror.jsp</param-value>
</init-param>
<init-param>
<param-name>pathList</param-name>
<param-value>emailpage.jsp, /admin/, /analytics/, /authoring/, /contmgmt/, /help/, /home/,/images/,/jasper/, /javascript/,/site/,/syndication/,/taskmgmt/,/workflow/</param-value>
</init-param>
</filter -->
|
4. Comment the following tag.
After commenting it should look like the following.
<!-- filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping -->
|
5. Restart the SamePage server.