The RESTful AtomPub binding of the IBM® CMIS interface reports errors back to the application by using a MIME type of text/plain. If you get error messages that include the syntax similar to HTML, use HTML Encoding for the IBM CMIS error messages before inserting it in your HTML web page.
http://example.com/cmcmis/resources/$x!icmnlsdb/Checkedout/">
<script>alert(25686)</script>Using this URL returns the following error message:
com.ibm.ecm.cmis.exceptions.InvalidArgumentException:
CIL1147: The URL of the request is not valid.
URL: http://example.com/cmcmis/resources/$x!icmnlsdb/Checkedout/
Invalid portion of the URL: /"><script>alert(25686)</script>For certain error messages, the detailed information about arguments or URLs that are not valid are included in the text of the error message to help with problem determination.
Administrator response: The error message itself is not the problem. Some security validation tools, including Rational AppScan interprets this response as a cross-site scripting vulnerability because the text is not HTML Encoded. However, it is not a vulnerability because web browsers do not run any code on documents with a MIME type of text/plain. If your CMIS application is web-based, you might choose to display this error message in an HTML web page. You must use HTML Encoding for the IBM CMIS error messages before inserting it in your HTML web page. For example, a portion of the URL in the error message must be written as <script> instead of <script>. Otherwise, your CMIS application might be vulnerable to cross-site scripting attacks.