13.4 Enabling Users to Add JavaScript and Other Restricted Content by Modifying Cross-Site Scripting Settings

Cross-site scripting (XSS) is a client-side computer attack that is aimed at Web applications. Because XSS attacks can pose a major security threat, Novell Teaming contains a built-in security filter that protects against XSS vulnerabilities.

The following sections describe the types of content that the security filter blocks from the Teaming site, where exactly it blocks it from entering, and how you can enable specific users to bypass the security filter.

13.4.1 Understanding What Content Is Not Permitted

By default, the XSS security filter in Teaming is very strict, and does not allow users to add certain types of content. Following are examples of content that is not permitted:

  • HTML that contains JavaScript

  • Forms

  • Frames

  • Objects

  • Applets

13.4.2 Understanding Where the Content Is Not Permitted

The type of content discussed in Section 13.4.1, Understanding What Content Is Not Permitted is filtered by Teaming in the following areas:

  • Text and HTML fields in entries and folders

  • Uploaded HTML files

13.4.3 Enabling Users to Bypass the XSS Security Filter

Specific users might have need of adding to the Teaming site the types of content described in Section 13.4.1, Understanding What Content Is Not Permitted. If you trust these users, you can enable them to bypass the XSS security filter.

  1. Change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat-version/
                               webapps/ssf/WEB-INF/classes/config
    

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat-version\
                               webapps\ssf\WEB-INF\classes\config
    
  2. Open the zone-ext.cfg.xml file in a text editor.

  3. Add the following information to the xml file, inside the <zoneConfiguration> tags:

    <zone name="kablink">
     <xssConfiguration>
      <trustedUsers>
       <user name="jchavez"/>
      </trustedUsers>
     </xssConfiguration>
    </zone>
    

    The user name value should contain the user ID for the user who you want to grant rights to upload HTML files to the Teaming site.

    To enable multiple users to add HTML content to the Teaming site, use multiple <user name> elements. For example:

    <user name="jchavez"/>
    <user name="ahall"/>
    <user name="cjones"/>
    
  4. Stop and restart Teaming.