> Forums > Active Social > Feedback and Requests > ENH: Add Flag to Disable XSS Protection in Journal API
Last Post 23 May 2011 07:47 AM by Steven Webster. 2 Replies.
AddThis - Bookmarking and Sharing Button Printer Friendly
  •  
  •  
  •  
  •  
  •  
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages
Not Resolved
Steven Webster
Customers
Steven Webster
Post Count:1682

--
06 May 2011 05:32 PM
    • Type of Feedback: Something to think about
    Currently the Journal.AddItem API uses the DotNetNuke XSS Filter to remove potentially malicious code from posts into the journal.   While this makes sens when end users might have access to a form field that goes directly posted to the journal through the API...it's prevents legitimate content from being posted through the API be a third party developer.

    A specific example involves a recent attempt to post the video embed code from Ultra Video Gallery (BizModules.net) into the journal's FullText property so it would show a playable video inside the journal.  (see screenshot).  But, since the CSS filters are in place the code is stripped out.  I have tested this using YouTube's newer sharing code which uses an IFRAME and get the same result.

    This could be easily overcome with the addition of a property to the API to disable XSS protection.  In this case, since the API is called from a third party module, error and malicious handling is the responsibility of that module...and since the developer has no control over this filter in the journal the results are very limited.



    Will - Just wanted to capture this somewhere other than emails.

    Steven Webster
    Manager, Community Platform
    F5 Networks, DevCentral
    Tags: UVG, BizModules, journal, API, XSS
    Steven Webster
    Customers
    Steven Webster
    Post Count:1682

    --
    07 May 2011 12:53 PM
    Hey, looks like I'm not the only one with this idea.... ;)

    http://www.activemodules.com/active...ss-checks/

    Now to add this to the journal API too.

    Steven Webster
    Manager, Community Platform
    F5 Networks, DevCentral
    Steven Webster
    Customers
    Steven Webster
    Post Count:1682

    --
    23 May 2011 07:47 AM
    This is now in AS 1.9.3, tested and working. Big thanks to Will and DNN/AM

    Steven Webster
    Manager, Community Platform
    F5 Networks, DevCentral
    You are not authorized to post a reply.
    > Forums > Active Social > Feedback and Requests > ENH: Add Flag to Disable XSS Protection in Journal API
    test
    Copyright 2012 by DotNetNuke Corporation / Terms of Use / Privacy