Wednesday, July 11, 2012

Websphere Portal Cross-Site-Scripting Protection

Websphere Portal version 7 provides a Cross-Site-Scripting protection mechanism that encodes the "<" and ">" during form post. This protection mechanism is turned on by default. As a consequence, the request values passed to the portlet processAction method are encoded values. e.g. "&lt;" for "<" and "&gt;" for ">", thus a Html unescape call is required to retrieve the original input values.

To disable the Cross-Site-Scripting protection, the security.css.protection service configuration property value needs to be set to false using procedure described in http://www-10.lotus.com/ldd/portalwiki.nsf/dx/Setting_service_configuration_properties_wp7.