Protecting against malicious active content 

The active content filter prevents users from embedding malicious content in Communities input fields.


Before starting

To edit configuration files, use the IBM WAS wsadmin client. See Starting the wsadmin client for details.


About this task

Communities provides a filter that prevents users from using rich text descriptions with malicious scripts that are started when other users visit Communities. You can disable this filter to provide richer options for content in any Communities text input field.

Note: Disable this filter introduces vulnerability to cross-site scripting (XSS) and other types of malicious attack. See Securing applications from malicious attack for additional information.


Procedure

To configure the active content filter...

  1. From the dmgr host:

      cd $DMGR_PROFILE/bin
      ./wsadmin.sh -jython
      execfile("communitiesAdmin.py")

      If prompted to specify a service to connect to, type 1 to pick the first node in the list. Most commands can run on any node. If the command writes or reads information to or from a file using a local file path, pick the node where the file is stored.

  2. Check out the Communities configuration files using the following command:

      CommunitiesConfigService.checkOutConfig("<working_directory>", "<cell_name>")

      where:

      • <working_directory> is the temporary working directory to which the configuration XML and XSD files are copied. The files are kept in this working directory while you make changes to them.

          Note: AIX and Linux only: The directory must grant write permissions or the command will not run successfully.

      • <cell_name> is the name of the WAS cell hosting the IBM Connections application. This argument is required. If you do not know the cell name, you can determine it by typing the following command in the wsadmin command processor:

          print AdminControl.getCell()

      For example:

      CommunitiesConfigService.checkOutConfig("/opt/my_temp_dir", "CommServerNode01Cell")

  • Optional: To check the current setting of the active content filter property, use the following command:

      CommunitiesConfigService.showConfig()

      Look for the following property in the output that displays:

      activeContentFilter.enabled = true

  • To change the value of the active content filter property, use the following command:

      CommunitiesConfigService.updateConfig("<property>", "<value>")

      where

      • <property> is one of the editable Communities configuration properties.

      • <value> is the new value with which you want to set that property.

      The following table displays information regarding the active content filter property and the type of data that you can enter for it.

      Table 1. The active content filter property

      Property Description
      activeContentFilter.enabled When enabled, this property prevents the addition of active content (JavaScriptâ„¢, for example) to any Community text input field.

      This property takes a Boolean value: true or false.


      For example:

      CommunitiesConfigService.updateConfig("activeContentFilter.enabled", "false")

  • After making changes, check the configuration files back in, and do so during the same wsadmin session in which you checked them out for the changes to take effect. See Apply property changes in Communities for information about how to save and apply your changes.


    Parent topic

    Manage community content

    Related concepts
    Securing applications from malicious attack


    Related tasks


    Apply property changes in Communities

    Related reference
    Communities configuration properties


       

     

    });

    +

    Search Tips   |   Advanced Search