Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Cee Paxton
XSS protection in Liferay 6.1 GA1
January 20, 2013 10:21 AM
Answer

Cee Paxton

Rank: New Member

Posts: 3

Join Date: January 20, 2013

Recent Posts

In prior version of Liferay, XSS protection was enabled by setting the following entry in the portal-ext.properties:

xss.allow=false

In 6.1, it looks like this has been removed as a overriden property in portal-ext. How is it toggled on and off in 6.1? Is it on by default?
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
January 20, 2013 1:07 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

I think you'll right. The last comment in the following issue clearly states it has been removed:

http://issues.liferay.com/browse/LPS-13246
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
January 20, 2013 1:12 PM
Answer

Cee Paxton

Rank: New Member

Posts: 3

Join Date: January 20, 2013

Recent Posts

Even if that particular property has been removed., do you happen to know how to turn XSS on in 6.1?

I assume that they only removed the property and not XSS protection all together.
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
January 20, 2013 1:53 PM
Answer

Jelmer Kuperus

Rank: Liferay Legend

Posts: 1192

Join Date: March 10, 2010

Recent Posts

why would you want that ?

that property might just as well have been called

hackme=true
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
January 20, 2013 2:09 PM
Answer

Cee Paxton

Rank: New Member

Posts: 3

Join Date: January 20, 2013

Recent Posts

The question is

It doesn't appear to be on by default. How is it turned on in 6.1z
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
January 20, 2013 11:08 PM
Answer

Jelmer Kuperus

Rank: Liferay Legend

Posts: 1192

Join Date: March 10, 2010

Recent Posts

You don't because the very notion of having such a property is retarded

Now why do you think you need to enable this property.
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
January 21, 2013 3:22 AM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

As is written in the issue, XSS protection should be enable by default. If it's not, can you provide us with a test case?
Also, there have been some security patches in 6.1.0GA1. Please check if XSS protection is enabled in liferay 6.1.1 GA2.

Participate in the State of Liferay Community 2017. Help the community and even win some prizes!