Cross-site Scripting (XSS) Filtering

Ennov InSight includes Cross-site Scripting (XSS) filtering that prevents users from adding malicious script codes in the form of user input in an attempt to access data.

Any data that includes HTML tags and text patterns not included in the exception list (whitelist) will not be saved by the system.

By default, the following text patterns will be prevented from being saved unless they are included in the whitelist:

— onmouseover

— document.cookie

— window.open

— onload

— onerror

— onreset

— onclick

— ondblclick

— ondrag

— onfocus

— onblur

— onchange

— onselect

— onkey

— oncut

— oncopy

— onpaste

— onmouse

— onscroll

— onwheel

— oninput

— oninvalid

Enabling Cross-site Scripting Filtering

The Cross-site Scripting (XSS) filter can be enabled by setting its property value to true in the securityConfiguration.xml file.

To enable Cross-site Scripting Filter:

  1. On the Application Server, locate: <Installation drive>:\InSightManager\server\all

    \conf\insight\securityConfiguration.xml

  2. Open this file in a text editor and locate the section:

    Example

    <property name="enableXssFilter" value="false"/>
  3. Change the value of enableXssFilter to true.
  4. Save and close the securityConfiguration.xml.
  5. Restart the Application Server.

Whitelist Tags, Tag Attributes, and Text Patterns

Ennov InSight enables you to add tags, tag attributes, and text patterns to the whitelist.

To specify the tag attributes and text patterns in the whitelist:

  1. On the Application Server, find the securityConfiguration.xml file in the following location:

    <Installation drive>:\InSightManager\server\all\conf\insight

    \securityConfiguration.xml

  2. Open this file in a text editor.
  3. To add tags, locate the section <property name="allowedTags">
  4. Add <value></value> to the list of tags and replace new tag with the value of the tag you want to add. Repeat this step to add more tags.

    Example

    <property name="allowedTags">

    <list>

    <value>b</value>

    <value>new tag</value>

    </list>

    </property>
  5. To add tag attributes, locate the section <property name="allowedTagAttributes>
  6. Locate the list that corresponds to the tag to which you want to add the tag attributes.
  7. Add <value>new tag attribute</value> to the list of tag attributes and replace new tag attribute with the value of the tag attribute you want to add. Repeat this step to add more tag attributes.

    Example

    <property name="allowedTagAttributes">

    <map>

    <entry>

    <key>

    <value>div</value>

    </key>

    <list>

    <value>title</value>

    <value>style</value>

    <value>new tag attribute</value>

    </list>

    </entry>

    </map>

    </property>
  8. To add text patterns, locate the section <property name="allowedTextPatterns>
  9. Add <value>new text pattern</value> to the list of text patterns and replace new text pattern with the value of the text pattern you want to add. Repeat this step to add more text patterns.

    Example

    <property name="allowedTextPatterns">

    <list>

    <value>onclick</value>

    <value>onmouseover</value>

    <value>document.cookie</value>

    <value>window.open</value>

    <value>new text pattern</value>

    </list>

    </property>
  10. Save and close the securityConfiguration.xml file.
  11. Restart the Application Server.