Overview

You would like to know what measures can be taken to prevent XSS (Cross-Site Scripting attacks) for a custom plugin.

 

Information

Custom developed plugins are out of scope for the Jive Support team.  You will need to reach out to the Professional Services team for further information on this topic. Kindly reach out to your Account Executive for more information on Professional Service engagement.

 

In the interim, you can find further instructions from the security team. Please note that the recommendations below are only for hardening the environment and making it more difficult for XSS attacks to be effective. Performing these alone with not ensure complete protection from XSS attacks.

 

On the Jive system properties, you can modify default values:

• html.widget.strip.javascript = true -> (default false) Setting to true will strip all JavaScript from every HTML Text Widget (and then render inline) regardless of their entitlements.
• jive.htmlwidget.cleansejavascript = true  -> (default true) Setting to false will stop Jive from stripping out JavaScript in HTML Widgets for non-system administrators.
• html.widget.safemode.enabled = true  -> (default true) Setting to false will let HTML Text Widget's that have JavaScript be rendered inline as opposed to the default iFrame.

 

You will need to apply the next changes to the tile addon files:

<jive_folder>/var/www/resources/add-ons/185191ef-772a-4541-8b5a-411108dda0fa/52416ce682/tiles/generic-html/javascripts/script-cleaner.js

The changes to be made are:

• Add svg to DOM_ELEMENTS
• Add onend to DOM_LEVEL0_EVENTS

 

Please note that we follow OWASP security best practices. You can find more information below:

• XSS Filter Evasion Cheat Sheet
• Cross-Site Scripting Prevention Cheat Sheet