Technote: Additional Prohibited Strings for WebSphere Commerce Cross-Site Scripting Protection

Technote
(troubleshooting)

Additional Prohibited Strings for WebSphere Commerce Cross-Site Scripting Protection

Problem(Abstract)
When you enable Cross-Site Scripting Protection in IBM WebSphere Commerce, the following strings are specified by default:
<SCRIPT
<SCRIPT
<%
<%

In order to enhance security, IBM recommends that the following two strings are added to the prohibited list:

javascript
&10;&13;

Note that the last entry in this list is the "carriage return" character.
Resolving the problem To add the 2 new strings to the prohibited list, follow the instructions on the page entitled "Enabling cross-site scripting protection" in the WebSphere Commerce Information Center:
WebSphere Commerce 6.0
http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.commerce.admin.doc/tasks/tsecsssp.htm

WebSphere Commerce 5.6.1
http://publib.boulder.ibm.com/infocenter/wchelp/v5r6m1/index.jsp?topic=/com.ibm.commerce.admin.doc/tasks/tsecsssp.htm

Cross Reference information

Segment Product Component Platform Version Edition
Commerce WebSphere Commerce Business Edition Security AIX, i5/OS, Linux, Solaris, Windows 5.6.1 Business Edition
Commerce WebSphere Commerce Professional Edition Security AIX, i5/OS, Linux, Solaris, Windows 5.6.1, 6.0 Professional Edition
Commerce WebSphere Commerce - Express Security AIX, i5/OS, Linux, Solaris, Windows 5.6.1, 6.0 Express

Document Information

Current web document: http://www.ibm.com/support/docview.wss?uid=swg21288639

Segment	Product	Component	Platform	Version	Edition
Commerce	WebSphere Commerce Business Edition	Security	AIX, i5/OS, Linux, Solaris, Windows	5.6.1	Business Edition
Commerce	WebSphere Commerce Professional Edition	Security	AIX, i5/OS, Linux, Solaris, Windows	5.6.1, 6.0	Professional Edition
Commerce	WebSphere Commerce - Express	Security	AIX, i5/OS, Linux, Solaris, Windows	5.6.1, 6.0	Express