Try OpenEdge Now
skip to main content
Server Administrator's Guide
Business Process Server web security : XSS handler implementation : XSS configuration : XSS conditions
 
XSS conditions
The config entry xss-conditions are used to determine whether the input data is plain text or html text. The conditions are applied against the input data, if the condition matches, then the input data is considered as html text and sanitized according to the HTML sanitization process. If it does not match, then it uses the action configured for the unmatched-content-action-type attribute.
The default xss-conditions snippet:
<xss-conditions>
    <element-detection-pattern unmatched-content-action-type='HTML_ESCAPE'>
    (.*&lt;([^\\s].*)&gt;.*)</element-detection-pattern>
    </xss-conditions>

Element detection pattern

The default xss-conditions look for possible elements patterns such as any string starting with "<" symbol. If the pattern is matched against the input data, then the data is considered HTML text and it is passed to the xss handler for sanitization. If there are no element pattern found in the given data, then it considers it as plain text and uses the unmatched-content-action-type attribute to take further actions on that data.
Note: The value of the element-detection-pattern should be a valid java regular expression.

Unmatched content action type

If there is no element pattern found in the input data, then the xss handler takes one of the following actions on the input data before returning.
HTML_ESCAPE - Escapes the characters in the input data using HTML entities.
Example:
"bread" & "butter"
becomes:
&quot;bread&quot; &amp; &quot;butter&quot;.
NO_ACTION
No action is taken on the input data and it is accepted as it is.
One of the above values should be configured for the attribute named unmatched-content-action-type under the <element-detection-pattern> element.
Note: By default, it escapes the html entities in the input data.