XSS Prevention documentation for the dotCMS Content Management System

XSS PROTECTION FOR ADMIN SCREENS

As of version 5.2, dotCMS has shipped with a filter that is designed to minimize XSS and CSRF vunerabilities in the administrative console. To do this, dotCMS blocks direct access to all files under the administrative directories, e.g. /html, /dotAdmin … unless dotCMS is sent a valid referer (or Origin) header. Prior to dotCMS 5.2, a similar protection was enabled using a plugin known as the CSRFFilter plugin, which is no longer needed.

The XSS prevention behavior is enabled globally by default and can be turned off globally by this property:

XSS_PROTECTION_ENABLED=false

The paths (regexes) that are protected default to the list found here: https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/interceptor/dotcms/XSSPreventionWebInterceptor.java#L26

and can be overridden if needed by this comma separate property:

XSS_PROTECTED_PATHS=\\A/html/,\\A/c/,\\A/servlets/

With XSS protection, dotCMS expects a valid referer or Origin header. The Origin Header is checked first and if it is not present, dotCMS will fall back to check the referer header. For a request to be valid, one of the following must be true:

  • The Origin/referer is the same host name as the request url (normally, this is the case).
  • The Origin/referer header has a value equal to a site or alias defined in the site manager (not normal, but maybe).
  • The Origin/referer header has a value equal to the “Portal Url” as defined on the Configuration Screen.
  • The request is for a *.css file (css @import statements do not set a referer).

If none of these conditions are met and you have a case where you need to allow non-refered access to an administrative file or folder you can add uris and paths to ignore to a config property IGNORE_REFERER_FOR_PATHS, as comma separated values. dotCMS will ignore all matching uris or, if it ends with an astrick, then all uris that begin with the value, e.g.

# IGNORE_REFERER_FOR_PATHS=/html/common/css.jsp,/html/my-plugin/*