Additional Prohibited Strings for WebSphere Commerce Cross-Site Scripting Protection Technote
(troubleshooting)Problem(Abstract) When you enable Cross-Site Scripting Protection in IBM WebSphere Commerce, the following strings are specified by default:
SCRIPT
<
<SCRIPT
<
%
<%
In order to enhance security, IBM recommends that the following two strings are added to the prohibited list:
javascript
&10;&13;
Note that the last entry in this list is the "carriage return" character.Resolving the problem To add the 2 new strings to the prohibited list, follow the instructions on the page entitled "Enabling cross-site scripting protection" in the WebSphere Commerce Information Center:
WebSphere Commerce 6.0
http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=/com.ibm.commerce.admin.doc/tasks/tsecsssp.htm
WebSphere Commerce 5.6.1
http://publib.boulder.ibm.com/infocenter/wchelp/v5r6m1/index.jsp?topic=/com.ibm.commerce.admin.doc/tasks/tsecsssp.htm
Cross Reference information
Segment Product Component Platform Version Edition Commerce WebSphere Commerce Business Edition Security AIX, i5/OS, Linux, Solaris, Windows 5.6.1 Business Edition Commerce WebSphere Commerce Professional Edition Security AIX, i5/OS, Linux, Solaris, Windows 5.6.1, 6.0 Professional Edition Commerce WebSphere Commerce - Express Security AIX, i5/OS, Linux, Solaris, Windows 5.6.1, 6.0 Express
Document Information Current web document: http://www.ibm.com/support/docview.wss?uid=swg21288639