Try OpenEdge Now
skip to main content
Server Administrator's Guide
Business Process Server web security : XSS handler implementation : XSS configuration : XSS rules
 
XSS rules
The xss rules configuration provides details about what tags and attributes are accepted and rejected in the input data.

Import rules from different files

The xss-rules can be written in multiple files and can be imported to the main configuration file using the <import> tag and the file name as the name of the file in the classpath, and name of the xss-rules section in that imported file. Each imported file has the xss-rules same as those explained in this section.
An example would be:
<import file='resources/conf/bmwebsecurity/bmxsshtml4rules.xml' name="xss-default-html4"/>
The above tag imports the xss-rules named as "xss-default-html4" from the above file location in the classpath.

Accept common attributes

This section explains about common attributes:
The following code explains configuration about which attributes should be accepted for any tag.
Example:
<accept-common-attr name="align">
</accept-common-attr>
This accepts the align attribute in any tag.
This can be further restricted by using the <except-tag> which restricts the common attribute.
Example:
<accept-common-attr name="id">
  <except-tag name="script" />
</accept-common-attr>
This indicates that the "id" attribute can be accepted for any tag except the script tag.
The value of the attribute can be restricted with the multiple regular expressions given below. If there are no regular expressions defined, then the attribute is accepted irrespective of its value.
<accept-common-attr name="align">
  <regexp>center|left|right</regexp>
</accept-common-attr>
The above configuration indicates that the align attribute should be accepted for any tag, but the value of the attribute must be center, left or right only.
Note: The value of the <regexp> must be a valid java regular expression.

Accept tags

Which tags should be accepted in configuration for input data is defined using <accept-tag>.
For example:
<accept-tag name="b">
</accept-tag>
The above rule says that the "b" bold tag can be accepted.
Tag specific attribute: Each accept tag does allow multiple attributes that can be allowed for that tag only is given below.
<accept-tag name="b">
  <attr name="align">
  <regexp>center|left|right</regexp>
    </attr>
  <attr name="style" />
</accept-tag>
The above rule indicates that the "b" tag is accepted with the align and style attributes within it.

Reject common attributes

The attribute configured with the following tag is rejected for all tags.
<reject-common-attr name='style'/>

Reject tags

The tags configured with the following rule is rejected in the input data.
<reject-tag name='script'/>

Reject attributes for a tag

The following snippet rejects the attribute for the given tag.
<reject-tag name="a">
    <attr name="href"/>
</reject-tag>
The default configuration will not allow the following tags:
<reject-tag name="SCRIPT"/>
<reject-tag name="NOSCRIPT"/>
<reject-tag name="IFRAME"/>
<reject-tag name="FRAMESET"/>
<reject-tag name="IMG"/>
<reject-tag name="META"/>
<reject-tag name="EMBED"/>
<reject-tag name="OBJECT"/>
<reject-tag name="HEAD"/>
<reject-tag name="LINK"/>
Note: Go through the following files for more information on what tags and what attributes are accepted or rejected. conf\resources\conf\bmwebsecurity\bmxsshtml4rules.xml conf\resources\conf\bmwebsecurity\xss-html4-standard-rules.xml
Important: The recommended approach is to add accept or reject rules through the bmxssconfig.xml rather than modifying the above files.