Running the XSS Report in Novell Vibe OnPrem

  • 7007381
  • 15-Dec-2010
  • 27-Apr-2012

Environment

Novell Vibe OnPrem 3

Situation

Background:
By default, Novell Vibe OnPrem implements a XSS (Cross Site Scripting) checker which prevents a user from injecting client-side scripts into description areas of folders and entries along with other content that is not permitted (understanding what content is not permitted). Common examples of this include HTML that contains JavaScript, forms, frames and objects. Vibe OnPrem also allows the site administrator to setup exceptions to the default checking so that certain designated users and/or groups are allowed to bypass the XSS checker (documented in TID 7006194).

Starting in Vibe OnPrem 3.0, a site administrator can now run a XSS Report to find any XSS problems across the site and safely remove them. This TID will show you how to effectively use this new reporting capability.

Resolution

To run the report:
  1. Log into the Vibe site as the Vibe administrator.
  2. Click the Administration icon in the top right hand corner.
  3. Under Reports, click XSS Report.
  4. Select the folders and/or workspaces where you would like to run the XSS report.
    If you wish to run the report across the entire site, select the top-level 'Home Workspace'.

    Note:
    In case of a very large site with hundreds or thousands of folders/entries, you may want to break down the report into smaller pieces to prevent timeouts.

  5. After selecting the desired folders/workspaces, click the OK button to start the report.
  6. If no XSS problems are found, you should see the message 'No XSS problems found'.
  7. In case any XSS problems are found, each problem will be reported in a table format.

To safely remove any XSS problems:
  1. Any XSS problems found would be reported by the XSS report

    Note:
    It is strongly recommended that you do notclick on the entry/folder title hyperlink shown in the report as that can potentially trigger the harmful script.

  2. You can safely inspect and remove the XSS problem using the 'modify' link for the respective entry/folder.
  3. This should bring up the respective folder/entry in modify mode. 
  4. Inspect the entry/folder description by clicking on the 'HTML' icon in the editor. 
  5. Once you are ready to remove this XSS problem*, simply click on the OK button to modify the entry/folder. 
  6. This submission will trigger the default XSS checker** to clear out any XSS problems from the respective entry/folder.
*  It is possible that the reported XSS problem is not a potential risk and just some script added by a trusted user designated by the Site Administrator to bypass the XSS checker.
**  The user running the XSS report and removing the reported XSS problems must not be in the list of trusted users designated to bypass the XSS checker otherwise the submission will not invoke the XSS checker.