The User Application supports the concept of XSS (Cross-Site Scripting) blacklists to help you to prevent scripting attacks. The XSS blacklists prevent XSS injection in the free text input fields within the Detail portlet, approval flow, and role assignments pages within the application.
The User Application provides default values for two blacklists, one for the Detail Portlet, and another for the workflow system (which handles the approval flow and role assignments pages). However, you can customize the blacklists to suit the requirements of your environment.
To customize the either of the blacklists, you need to enter the words or characters you want to block in the ism-configuration.properties file. In Tomcat, you can find this file in the <tomcat_home>/conf folder.
To modify the blacklist for the Detail portlet, open <tomcat_home>/conf/ism-configuration.properties and find the com.novell.xss.blacklist.detailportlet property:
com.novell.xss.blacklist.detailportlet = \",<
By default, the following characters are not allowed: \",<
To modify the blacklist for the approval flow and role assignments pages, locate the com.novell.xss.blacklist.workflow property:
com.novell.xss.blacklist.workflow = <
By default, < character is not allowed.
If you decide to customize the blacklists, be careful not to remove the default values. If you remove these values, you will make the lists less restricted, and therefore increase the risk of XSS attacks.