™ into their content that can, among other things, steal a user's session. Session stealing in a single sign-on (SSO) environment poses particular challenges because any vulnerability to XSS attacks can render the entire single sign-on domain vulnerable.
One of the ways that IBM
, from user input added to a post or entry before saving the post or entry to an application; it does not filter file attachments. You can turn off the active content filter altogether if you determine that your network is safe from the threat of malicious attacks. You can also change the content that is filtered per application by editing the configuration properties.
While securing IBM
content to a blog. Some areas to consider when deciding which security measures to implement are:
When active content filtering is enabled, users cannot add certain types of content to text-based fields. The product ships with a set of active content filter configuration files which specify which types of content are allowed and which are not. The configuration files used by the product by default allow users to edit styles and add forms to entries in each of the applications. They also allow users of the Blogs and Wikis applications to add flash content to entries. You can use the default filter settings or you can choose to apply other settings. See Configuring the active content filter for more details.File uploads
Parent topic: Security
Protecting against malicious active content
Managing notification for broken links
Specifying a separate file download domain
Communities configuration properties
Activities configuration properties
Forums configuration properties
Blogs supports the use of custom templates, which provide the ability for the blog owner to change the look of the blog. A custom template page is not filtered by the active content filter. Allowing custom template use introduces a XSS attack vulnerability.
Configuring the active content filter for Blogs, Wikis, and Forums
Connections provides a set of active content filter (ACF) configuration files that you can apply to the Blogs, Wikis, or Forums applications to limit or widen the types of content that users can add to their blog posts, wiki pages, or forum posts.
Configuring the active content filter for Activities, Communities, and Bookmarks
Connections provides a set of active content filter (ACF) configuration files that you can apply to the Activities, Communities, or Bookmarks applications to limit or widen the types of content that users can add to their entries.
Mitigating a cross site scripting attack
If you deem that your network is secure enough to turn off the active content filter, consider using one of the configuration options described in this topic to mitigate an attack should one occur.
Turning off active content filtering
Only turn off active content filtering if you have secured your network against cross-site scripting attacks by other means.