Secure features from malicious attack

Home

Secure features from malicious attack

Lotus Connections provides...

active content filtering
content upload limits

Cross-site scripting (XSS) attacks can occur when authors introduce JavaScript into their content to, among other things, steal a user's session. Session stealing in a single sign-on environment poses particular challenges because any vulnerability to XSS attacks can render the entire on domain vulnerable. The active content filter removes JavaScript and other potentially harmful content from a post or entry before adding it to a feature. By default, all user-provided content is sent through this filter.
You can turn off the active content filter if you determine that your network is safe from the threat of malicious attacks.
Enabling removes the ability to add dynamic JavaScript content to a blog. Some areas to consider when deciding which security measures to implement are:

Text-based fields When active content filtering is enabled, users cannot add embedded content, such as JavaScript code to text-based fields. In addition, they cannot add videos to text-based fields in any feature except Blogs. These restrictions prevents users from adding such content to the About Me and Background fields in their profile, to any of the Description fields, such as those used for a community, bookmark , or activity description, and prevents users from adding JavaScript code to a blog posting.
File uploads Activities, Blogs, and Files enable users to upload files, and Wikis enables users to attach files to wiki pages. In Activities, users can attach HTML and text files to an activity by default. There is no way to guarantee that the content they attach will not contain malicious code. The capability of such an attack is limited in that for all non-image activity attachments, users must download the content to their local machine before viewing it. This download forces content to be executed in isolation, and prevents downloaded content from accessing data associated with an authenticated activity session. By contrast, while Blogs allows certain file types to be uploaded, HTML files are not one of the types. If you choose to modify the file upload settings to allow HTML file uploads, be aware that these pages can contain JavaScript. Enabling the uploading of HTML files introduces a vulnerability to XSS attacks. Files allows all types of content to be uploaded and Wikis allows all types of content to be attached to wiki pages. Both support running the active content filter on the files when they are downloaded.
Custom templates Blogs supports the use of custom templates, which provide the ability for the blog owner to change the look of the blog. A custom template page is not filtered by the active content filter. Allowing custom template use introduces a XSS attack vulnerability.

See

Mitigating a cross site scripting attack
Turning off active content filtering
Disabling support for flash animations

Related tasks
Security
Protecting against malicious active content
Communities configuration properties
Activities configuration properties

+
Search Tips | Advanced Search

Text-based fields	When active content filtering is enabled, users cannot add embedded content, such as JavaScript code to text-based fields. In addition, they cannot add videos to text-based fields in any feature except Blogs. These restrictions prevents users from adding such content to the About Me and Background fields in their profile, to any of the Description fields, such as those used for a community, bookmark , or activity description, and prevents users from adding JavaScript code to a blog posting.
File uploads	Activities, Blogs, and Files enable users to upload files, and Wikis enables users to attach files to wiki pages. In Activities, users can attach HTML and text files to an activity by default. There is no way to guarantee that the content they attach will not contain malicious code. The capability of such an attack is limited in that for all non-image activity attachments, users must download the content to their local machine before viewing it. This download forces content to be executed in isolation, and prevents downloaded content from accessing data associated with an authenticated activity session. By contrast, while Blogs allows certain file types to be uploaded, HTML files are not one of the types. If you choose to modify the file upload settings to allow HTML file uploads, be aware that these pages can contain JavaScript. Enabling the uploading of HTML files introduces a vulnerability to XSS attacks. Files allows all types of content to be uploaded and Wikis allows all types of content to be attached to wiki pages. Both support running the active content filter on the files when they are downloaded.
Custom templates	Blogs supports the use of custom templates, which provide the ability for the blog owner to change the look of the blog. A custom template page is not filtered by the active content filter. Allowing custom template use introduces a XSS attack vulnerability.