Created by: ROD TAGUCHI on 11-02-2013 02:46:10 PM I'd like to know more about enabling Javascript on a POST. I am building forms that can use a little more interaction with variables and drop down boxes. I believe antisamy needs to be customized to allow this.... or turned off completely. I'd like to know how Cisco has this configured internally (as much as can be discussed) and hear best practices for antisamy on WebEx Social. Would it be a bad idea to allow javascript in a POST? If I do enable this, how do I allow javascript without turning off antisamy? Has anyone done this? What is Cisco's guidance here? Thank you, Rod
Subject: RE: AntiSamy customization to allow javascript Replied by: Kalin Sheytanov on 12-02-2013 01:58:18 AM Hello Rod, The default location for the antisamy policy file, on every app server node is: /opt/cisco/quad/tomcat/webapps/ROOT/WEB-INF/antisamy-quad.xml Additionally, AntiSamy can be enabled/disabled thru the "antisamy.policy.engine" property, though this is HIGHLY discouraged as this will open the Webex Social application to Cross Site Scripting. The official Cisco reccomendation would be to leave the default antisamy configuration, as editing it opens security holes and may lead to unauthorized access to login cookies, corp. user passwords and other sensitive data. Best Regards, Kalin.
Subject: Re: New Message from Kalin Sheytanov in WebEx Social Developer - WebEx Soci Replied by: Christopher Chandler on 12-02-2013 11:06:43 AM To add a "real-world" example (real-world in quotes, as I'm making up the names but this kind of thing absolutely happens):
Some user finds this great "LOLCats of the Day" site that they want to embed in their My View. The site gives them the embed code, similar to how YouTube does.
Now the user gets to see a new cute kitten each day. The issue is, living within the JavaScript that feeds them kitty pics, there could be things like a keystroke logger, code that looks for sensitive cookies (e.g.: Bank session ID, user IDs [which are often stored in cookies, despite it being bad practice]), etc.
Think of it as similar to a Trojan. You think you're installing some useful app, but in reality there is some malware that comes along for the ride.
If you enable the <script> tag - or disable AntiSamy all together - then you open this as a potential hole.
Ultimately, it's up to you and your Security team to determine whether or not that is a significant risk for your user base. We default the product to be the most secure we can make it, then leave it up to you on how much you want to loosen the restrictions.
Hope that helps!
Subject: RE: AntiSamy customization to allow javascript Replied by: ROD TAGUCHI on 26-02-2013 02:16:54 PM OK, Understood. How about if I wanted to create a post with a link that sends an Email using the Mailto: tag. Is this something that could be allowed? When I add the mailto: tag in HTML in the editor, saving strips it away and I'm assuming that Anitsamy has removed it.
The MAILTO: tag would be desirable. Is this something that can be allowed without opening major holes in security?
Thanks Rod
Subject: Re: New Message from ROD TAGUCHI in WebEx Social Developer - WebEx Social 3 Replied by: Christopher Chandler on 27-02-2013 01:10:18 PM Rod,
It's working for me on 3.1 and 3.0 using this example: <a href="mailto:your@email.address?subject=Clicking Mailto Link">Contact Us</a>
ROD TAGUCHI has created a new message in the forum "WebEx Social 3.x": -------------------------------------------------------------- OK, Understood. How about if I wanted to create a post with a link that sends an Email using the Mailto: tag. Is this something that could be allowed? When I add the mailto: tag in HTML in the editor, saving strips it away and I'm assuming that Anitsamy has removed it.
The MAILTO: tag would be desirable. Is this something that can be allowed without opening major holes in security?
Subject: RE: AntiSamy customization to allow javascript Replied by: ROD TAGUCHI on 27-02-2013 03:16:56 PM Thanks Chris, That does work. I'll check to see why my link wasn't working. But looks good. I also am adding #tags in the Subject line so the email automatically contains social tags. Rod
Subject: RE: AntiSamy customization to allow javascript Replied by: ROD TAGUCHI on 08-03-2013 10:01:30 AM Chris, It looks like some of the characters are not allowed within the mailto: tag, however if you keep away from those, it works fine. ASCII characters are allowed which makes carriage returns somewhat manageable.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
