6.7 Preventing XSS Attacks

The identity applications supports the concept of XSS (Cross-Site Scripting) blacklists to allow you to prevent scripting attacks. The XSS blacklists prevent XSS injection in the free text input fields within the Detail portlet, approval flow, and role assignments pages within the application.

The identity applications provides default values for two blacklists, one for the Detail Portlet, and one for the workflow system (which handles the approval flow and role assignments pages). However, you can customize the blacklists to suit the requirements of your environment.

To customize the either of the blacklists, you need to enter the words or characters you want to block in the sys-configuration-xmldata.xml file. In Tomcat, you can find this file in the <tomcat_home>/conf folder. Open the file with a UTF-8 friendly editor.

To modify the blacklist for the Detail portlet, open <tomcat_home>/conf/ism-configuration.properties in a UTF-8 editor, and find the com.netiq.xss.blacklist.detailportlet property:


The text node of <value> is the blacklist for Detail portlet. The blocked words are separated by comma (for example, blocked_word1,blocked_word2,...). The default setting is:


This means that double quote and < are disallowed.

To modify the blacklist for the approval flow and role assignments pages, locate the com.netiq.xss.blacklist.workflow property.


The syntax is the same. The default value is:


which means that < is disallowed.

If you decide to customize the blacklists, be careful not to remove the default values. If you remove these values, you will make the lists less restricted, and therefore increase the risk of XSS attacks.