14.5 Enabling Users to Add JavaScript and Other Restricted Content by Modifying Cross-Site Scripting Settings

Cross-site scripting (XSS) is a client-side computer attack that is aimed at Web applications. Because XSS attacks can pose a major security threat, Novell Vibe contains a built-in security filter that protects against XSS vulnerabilities.

The following sections describe the types of content that the security filter blocks from the Vibe site, where exactly it blocks it from entering, and how you can enable specific users to bypass the security filter.

14.5.1 Understanding What Content Is Not Permitted

By default, the XSS security filter in Vibe is very strict, and does not allow users to add certain types of content. For example, the following content is not permitted:

  • HTML that contains JavaScript

  • Forms

  • Frames

  • Objects

  • Applets

14.5.2 Understanding Where the Content Is Not Permitted

The type of content discussed in Section 14.5.1, Understanding What Content Is Not Permitted is filtered by Vibe in the following areas:

  • Text and HTML fields in entries and folders

  • Uploaded HTML files

14.5.3 Listing All XSS Threats in Your System

Vibe enables you to run a XSS report that lists XSS threats that are contained in your Vibe system. For more information, see Section 22.1.9, XSS Report.

14.5.4 Enabling Users to Bypass the XSS Security Filter

Specific users might need to add some of the content described in Section 14.5.1, Understanding What Content Is Not Permitted. If you trust these users, you can enable them to bypass the XSS security filter.

IMPORTANT:We do not recommend that you turn off the XSS security filter for the entire site. For more information about keeping your Vibe site secure from XSS, see Section 33.3.10, Securing the Vibe Site from XSS.

Enabling a group to bypass the XSS filter is more efficient than enabling individual users because it requires you to modify the configuration file only once, when you initially authorize the group. After the initial setup, you can easily modify group membership.

Enabling Groups to Bypass the XSS Security Filter

The most efficient way to enable users to bypass the XSS security filter is to set up a group in Vibe, add users to this group who you trust, then authorize this group to bypass the XSS security filter. Only group members have the authority to bypass the XSS security filter.

  1. Create a group in Vibe and add only users who you trust to this group.

    Members of this group will be allowed to bypass the XSS security filter.

    For information on how to create a group and add users to the group, see Section 5.2, Creating Groups of Users.

  2. On the Vibe server, change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               webapps/ssf/WEB-INF/classes/config
    

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               webapps\ssf\WEB-INF\classes\config
    
  3. Open the zone-ext.cfg.xml file in a text editor.

  4. Add the following information to the xml file, inside the <zoneConfiguration> tags:

    <zone name="kablink">
     <xssConfiguration>
      <trustedGroups>
       <group name="trusted"/>
      </trustedGroups>
     </xssConfiguration>
    </zone>
    

    The group name value should contain the group ID for the group you want to be able to upload HTML files to the Vibe site.

  5. Stop and restart Vibe.

Enabling Individual Users to Bypass the XSS Security Filter

  1. Change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               webapps/ssf/WEB-INF/classes/config
    

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               webapps\ssf\WEB-INF\classes\config
    
  2. Open the zone-ext.cfg.xml file in a text editor.

  3. Add the following information to the xml file, inside the <zoneConfiguration> tags:

    <zone name="kablink">
     <xssConfiguration>
      <trustedUsers>
       <user name="jchavez"/>
      </trustedUsers>
     </xssConfiguration>
    </zone>
    

    The user name value should contain the user ID for the user you want to be able to upload HTML files to the Vibe site.

    To enable multiple users to add HTML content to the Vibe site, create a group and enable the group to add content, as described in Enabling Groups to Bypass the XSS Security Filter. Or, you can enable multiple users on an individual basis by using multiple <user name> elements. For example:

    <user name="jchavez"/>
    <user name="ahall"/>
    <user name="cjones"/>
    
  4. Stop and restart Vibe.