|Requires Admin Access:||Yes|
|Credit:||it.sec GmbH & Co. KG – Hans-Martin Münch & Markus Piéton|
The Cross Site Scripting protection, that is responsible for filtering user input to provide a sanitized representation of potentially harmful input, is flawed and can easily be circumvented. This leads to a range of vulnerabilities that allow attackers to change the layout of the web site and possibly compromise visiting clients. Cross Site Scripting is often used by attackers to show fake login screens that send the provided credentials to a attacker controlled server.
Dotcms provides a XSS filter intended to prevent XSS vulnerabilities. This filter can be extended, either through updating the filtering regex or providing a separate filter/implementation of the filter.
Customer can update specific implementation, the XSS regex and or implement a plugin that includes a XSS workflow actionlet to prevent XSS (or any scripting) from being included in submitted content.