18.9 Enabling Users to Bypass the XSS Security Filter

Cross-site scripting (XSS) is a client-side computer attack that is aimed at Web applications. Because XSS attacks can pose a major security threat, Novell Vibe contains a built-in security filter that protects against XSS vulnerabilities. This security filter is enabled by default.

The XSS security filter protects the Vibe site from XSS in two key areas:

Specific users might need to add some of the content described in Understanding What Content Is Not Permitted. If you trust these users, you can enable them to bypass the XSS security filter by adding JavaScript and other restricted content.

IMPORTANT:We do not recommend that you turn off the XSS security filter for the entire site. For more information about keeping your Vibe site secure from XSS, see Section 37.3.10, Securing the Vibe Site against XSS.

Enabling a group to bypass the XSS filter is more efficient than enabling individual users because it requires you to modify the configuration file only once, when you initially authorize the group. After the initial setup, you can easily modify group membership.

18.9.1 Enabling Groups to Bypass the XSS Security Filter

The most efficient way to enable users to bypass the XSS security filter is to set up a group in Vibe, add users to this group who you trust, then authorize this group to bypass the XSS security filter. Only group members have the authority to bypass the XSS security filter.

  1. Create a group in Vibe and add only users who you trust to this group.

    Members of this group will be allowed to bypass the XSS security filter.

    For information on how to create a group and add users to the group, see Section 5.2, Creating Groups of Users.

  2. On the Vibe server, change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               webapps/ssf/WEB-INF/classes/config
    

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               webapps\ssf\WEB-INF\classes\config
    
  3. Open the zone-ext.cfg.xml file in a text editor.

  4. Add the following information to the xml file, inside the <zoneConfiguration> tags:

    <zone name="kablink">
     <xssConfiguration>
      <trustedGroups>
       <group name="trusted"/>
      </trustedGroups>
     </xssConfiguration>
    </zone>
    

    The group name value should contain the group ID for the group you want to be able to upload HTML files to the Vibe site.

    If your Vibe system began as Teaming version 1, the zone name value is liferay.com instead of kablink

  5. Stop and restart Vibe.

18.9.2 Enabling Individual Users to Bypass the XSS Security Filter

  1. Change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               webapps/ssf/WEB-INF/classes/config
    

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               webapps\ssf\WEB-INF\classes\config
    
  2. Open the zone-ext.cfg.xml file in a text editor.

  3. Add the following information to the xml file, inside the <zoneConfiguration> tags:

    <zone name="kablink">
     <xssConfiguration>
      <trustedUsers>
       <user name="jchavez"/>
      </trustedUsers>
     </xssConfiguration>
    </zone>
    

    The user name value should contain the user ID for the user you want to be able to upload HTML files to the Vibe site.

    If your Vibe system began as Teaming version 1, the zone name value is liferay.com instead of kablink

    To enable multiple users to add HTML content to the Vibe site, create a group and enable the group to add content, as described in Enabling Groups to Bypass the XSS Security Filter. Or, you can enable multiple users on an individual basis by using multiple <user name> elements. For example:

    <user name="jchavez"/>
    <user name="ahall"/>
    <user name="cjones"/>
    
  4. Stop and restart Vibe.