Vista combinada Visión Plana Vista de árbol
Discusiones [ Anterior | Siguiente ]
toggle
Cee Paxton
XSS protection in Liferay 6.1 GA1
20 de enero de 2013 10:21
Respuesta

Cee Paxton

Ranking: New Member

Mensajes: 3

Fecha de incorporación: 20 de enero de 2013

Mensajes recientes

In prior version of Liferay, XSS protection was enabled by setting the following entry in the portal-ext.properties:

xss.allow=false

In 6.1, it looks like this has been removed as a overriden property in portal-ext. How is it toggled on and off in 6.1? Is it on by default?
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
20 de enero de 2013 13:07
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7949

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

I think you'll right. The last comment in the following issue clearly states it has been removed:

http://issues.liferay.com/browse/LPS-13246
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
20 de enero de 2013 13:12
Respuesta

Cee Paxton

Ranking: New Member

Mensajes: 3

Fecha de incorporación: 20 de enero de 2013

Mensajes recientes

Even if that particular property has been removed., do you happen to know how to turn XSS on in 6.1?

I assume that they only removed the property and not XSS protection all together.
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
20 de enero de 2013 13:53
Respuesta

Jelmer Kuperus

Ranking: Liferay Legend

Mensajes: 1192

Fecha de incorporación: 10 de marzo de 2010

Mensajes recientes

why would you want that ?

that property might just as well have been called

hackme=true
Cee Paxton
RE: XSS protection in Liferay 6.1 GA1
20 de enero de 2013 14:09
Respuesta

Cee Paxton

Ranking: New Member

Mensajes: 3

Fecha de incorporación: 20 de enero de 2013

Mensajes recientes

The question is

It doesn't appear to be on by default. How is it turned on in 6.1z
Jelmer Kuperus
RE: XSS protection in Liferay 6.1 GA1
20 de enero de 2013 23:08
Respuesta

Jelmer Kuperus

Ranking: Liferay Legend

Mensajes: 1192

Fecha de incorporación: 10 de marzo de 2010

Mensajes recientes

You don't because the very notion of having such a property is retarded

Now why do you think you need to enable this property.
Hitoshi Ozawa
RE: XSS protection in Liferay 6.1 GA1
21 de enero de 2013 3:22
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7949

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

As is written in the issue, XSS protection should be enable by default. If it's not, can you provide us with a test case?
Also, there have been some security patches in 6.1.0GA1. Please check if XSS protection is enabled in liferay 6.1.1 GA2.

Participate in the State of Liferay Community 2017. Help the community and even win some prizes!