Wednesday, July 11, 2012

Websphere Portal Cross-Site-Scripting Protection

Websphere Portal version 7 provides a Cross-Site-Scripting protection mechanism that encodes the "<" and ">" during form post. This protection mechanism is turned on by default. As a consequence, the request values passed to the portlet processAction method are encoded values. e.g. "&lt;" for "<" and "&gt;" for ">", thus a Html unescape call is required to retrieve the original input values.

To disable the Cross-Site-Scripting protection, the service configuration property value needs to be set to false using procedure described in