Technote (troubleshooting)
Problem
When attempting to perform various operations in an administration portlet in WebSphere® Portal, you receive the following message:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This Web site does not allow URLs which might include embedded HTML tags."
Symptom
Example scenarios where issue can occur:
A) Add a portlet to a page
1. Edit the page layout for any page.
2. Click on Add Portlets
3. Select any portlet and Click OK. (Clicking Cancel will also create the same error)
Error message received:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
NOTE: Bad CSS character in this case is "%3B"
B) Add a user to a group
1. Under Administration, navigate to Access>Users and Groups
2. Select a group for which you would like to add a new member.
3. Search for a User you would like to add
4. Select the user and click OK or Cancel.
Error message received:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
NOTE: Bad CSS character in this case is "%22"
C) Create a URL mapping
1. Under Administration, navigate to Portal Settings>URL Mapping
2. Select an existing context or create a new one and then click Edit mapping
3. Click OK or Cancel.
Error message received:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
NOTE: Bad CSS character in this case is "%22"
Aside from the above error, another error which can be symptomatic of this issue is:
403 Forbidden You are not authorized to view this page
Cause
Characters passed as part of the URL are considered by Computer Associates® eTrust SiteMinder™ to be evidence of a possible CSS attack and are thus blocked.
Environment
WebSphere Portal configured with eTrust SiteMinder set up to protect against possible cross site scripting attacks.
Resolving the problem
The issues have been investigated by WebSphere Portal Development and two interim fixes (PK68030 and PK68128) have been created in order to prevent the characters mentioned above from being generated by the administration portlets. These fixes can be obtained via Fix Central.
NOTE: If for any reason the above fixes cannot be installed, IBM® Support confirmed that this issue may be avoided by removing the problem characters from the list of badcsschars on the SiteMinder Policy Server.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.