enPortal includes two types of XSS protection:
- CRS proxied web applications
- Core product
1.1. CRS Proxied Web Applications
enPortal ships with a default CRS handler to deal with generic XSS issues in proxied web applications. However, since these generic rules may cause issues with the proxied web applications they are disabled by default. Please note that in some cases the PIMs provided by Edge may have specific rules or the default XSS handler enabled - refer to the individual PIM documentation for more information.
The handler is shipped with enPortal in the following location: [INSTALL_HOME]/server/webapps/enportal/WEB-INF/xmlroot/server/crs/runtimehandlers/handleXSS.xml
This handler can be assigned to a specific channel, proxy classes (for all channels that use these classes), or enabled system-wide. To enable system-wide move the handler from runtimehandlers/ to defaulthandlers/ but as mentioned above this may have negative consequences.
1.2. Core Product
enPortal core features are designed to perform their own input validation, however due to the type of some accepted inputs, and due to the extensible nature of the product, it's not possible to provide specific protection in all cases. As a result there is an additional layer of protection applied to all inputs received from clients. Input here is defined as the complete HTTP request from the client which is the query, headers, and body.
This protection is applied in the form of rule sets defined in [INSTALL_HOME]/server/webapps/enportal/WEC-INF/config/config.properties with logging to [INSTALL_HOME]/server/logs/jspsystem.log. The following rules are defined:
- Rule 77: allows all input when the referrer is enPortal.
- Rule 99: examines the input for matches - this is the default rule to discover injection of unwanted content.
Generally the default rules are sufficient. Note that if intrusion testing is performed on enPortal then these tools can forge the referrer, bypassing the extra XSS protection, which may lead to some scan failures. Even in this situation enPortal components feature input validation which should still ensure an XSS safe environment.
However, it is possible to disable Rule 77 and force checking of all input, but this may result in reduced functionality if submitted input matches Rule 99. The following areas may be affected (mostly admin functionality):
- enPortal user passwords
- setting SSO token for passwords
- using XMLImport with matching filename
- setting proxied channel parameters
- using the Regex Evaluator
- using the Expression Evaluator
- setting Display name for folders and channels
Other than enabling/disabling Rule 77 it is not recommended to change the rules without assistance from Edge.