Flash (Alert)
Abstract
This flash describes a scenario that can cause cross site scripting issues when using smart refresh.
Content
When using Smart Refresh with input values containing a <script> tag. IBM WebSphere Experience Factory V7.0 has code that protects against the execution of the script when displaying text, but the Dojo code that adds content to a page used by Smart Refresh can pull all the <script> tags out from anywhere in the content and execute it.
Best Practice:
In order to protect against the potential of cross site scripting, applications should always be developed with validation for all input form values. Validation should reject values containing special characters such as < and > to prevent these values from flowing into the application.
Fix available:
As a fail-safe measure, code updates have been released as test fixes for V7.0.0.x and for 7.0.1.x that automatically encode < and > to prevent Dojo from identifying form inputs as scripts. Customers can apply the appropriate test fix, but the recommended approach is to have models explicitly validate all form inputs rather than relying upon the fail-safe. By properly coding the content, the problem can be avoided.
Related information
WEF 7.0.1.2 LO65985
WPF 7.0.0.2 LO65984
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.