留言板

XSS protection in Liferay 6.1 GA1

Cee Paxton,修改在11 年前。

XSS protection in Liferay 6.1 GA1

New Member 帖子: 3 加入日期: 13-1-20 最近的帖子
In prior version of Liferay, XSS protection was enabled by setting the following entry in the portal-ext.properties:

xss.allow=false

In 6.1, it looks like this has been removed as a overriden property in portal-ext. How is it toggled on and off in 6.1? Is it on by default?
thumbnail
Hitoshi Ozawa,修改在11 年前。

RE: XSS protection in Liferay 6.1 GA1

Liferay Legend 帖子: 7942 加入日期: 10-3-24 最近的帖子
I think you'll right. The last comment in the following issue clearly states it has been removed:

http://issues.liferay.com/browse/LPS-13246
Cee Paxton,修改在11 年前。

RE: XSS protection in Liferay 6.1 GA1

New Member 帖子: 3 加入日期: 13-1-20 最近的帖子
Even if that particular property has been removed., do you happen to know how to turn XSS on in 6.1?

I assume that they only removed the property and not XSS protection all together.
thumbnail
jelmer kuperus,修改在11 年前。

RE: XSS protection in Liferay 6.1 GA1

Liferay Legend 帖子: 1191 加入日期: 10-3-10 最近的帖子
why would you want that ?

that property might just as well have been called

hackme=true
Cee Paxton,修改在11 年前。

RE: XSS protection in Liferay 6.1 GA1

New Member 帖子: 3 加入日期: 13-1-20 最近的帖子
The question is

It doesn't appear to be on by default. How is it turned on in 6.1z
thumbnail
jelmer kuperus,修改在11 年前。

RE: XSS protection in Liferay 6.1 GA1

Liferay Legend 帖子: 1191 加入日期: 10-3-10 最近的帖子
You don't because the very notion of having such a property is retarded

Now why do you think you need to enable this property.
thumbnail
Hitoshi Ozawa,修改在11 年前。

RE: XSS protection in Liferay 6.1 GA1

Liferay Legend 帖子: 7942 加入日期: 10-3-24 最近的帖子
As is written in the issue, XSS protection should be enable by default. If it's not, can you provide us with a test case?
Also, there have been some security patches in 6.1.0GA1. Please check if XSS protection is enabled in liferay 6.1.1 GA2.