Page 1 of 1

Dynamic content in CMS page

Posted: Thu May 30, 2013 9:21 pm
by fdboles
Is there any way to permit dynamic content (e.g. javascript) in pages maintained in CMS? It appears that any HTML content containing such tags is rejected by the exploit protection service. This seems to occur deep within the Admin core code. I would like to disable exploit protection for HTML type CMS fields. Is there a way to do this via configuration or service override?

Re: Dynamic content in CMS page

Posted: Thu May 30, 2013 9:33 pm
by phillipuniverse
What version of Broadleaf are you using?

Re: Dynamic content in CMS page

Posted: Thu May 30, 2013 9:45 pm
by phillipuniverse
Actually, I think this is applicable for all versions of Broadleaf.

If you want to disable the XSS protection completely, you can override the blExploitProtectionService bean in the admin. So somewhere in your applicationContext-admin.xml file:

Code: Select all

<bean id="blExploitProtectionService" class="org.broadleafcommerce.common.security.service.ExploitProtectionServiceImpl">
    <property name="xssProtectionEnabled" value="false" />
</bean>


This will disable all of that cleaning. Alternatively, you could provide your own antisamy policy file. The one that we are using is at https://github.com/BroadleafCommerce/Br ... -1.4.4.xml so you could use that for reference. If you go this route, it probably makes the most sense to just copy this file into your own project and modify it as needed.

If you go that route, you'll need to tell the exploit protection service to load this file instead:

Code: Select all

<bean id="blExploitProtectionService" class="org.broadleafcommerce.common.security.service.ExploitProtectionServiceImpl">
    <property name="antiSamyPolicyFileLocation" value="classpath:your-antisamy-policy.xml" />
</bean>


Finally, you could just override the bean with your own class and override the cleanString and cleanStringWithResults method to just return the string:

Code: Select all

public class PassThroughExploitProtectionService extends ExploitProtectionServiceImpl {

    public 
String cleanString(String stringthrows ServiceException {
        return 
string;
    }

    public 
String cleanStringWithResults(String stringthrows ServiceException {
        return 
string;
    }
}
 


And then override that bean definition with your custom class:

Code: Select all

<bean id="blExploitProtectionService" class="com.yourcompany.admin.exploit.service.PassThroughExploitProtectionService" />


The first and 3rd are obviously the least restrictive and easiest, while the 2nd option is more difficult but still affords you some protections. What you need depends on your specific use cases.

Re: Dynamic content in CMS page

Posted: Thu May 30, 2013 10:00 pm
by fdboles
Awesome, Phillip. Thanks for the quick reply. I wasn't thinking to disable exploit completely, but since this can be restricted to Admin, I consider this relatively safe. This turned out to be a quick and easy fix, though it took me a few hours to understand what was happening in the first place.

Thanks again!

Re: Dynamic content in CMS page

Posted: Wed Sep 25, 2013 8:53 am
by denis
Hi,

I have some trouble with blExploitProtectionService (BLC 2.2.1-SNAPSHOT). I want to be able to add javascript code in RichTextEditor so i have disable the XSS protection, it works fine BUT if you remove the XSS protection when you edit the HTML with RichTextEditor close tags are removed and when you save the new html close tags are not added. In front office a thymeleaf parse exception occur because there is no close tag for br tag for exemple.

Is there a solution to disable XSS protection but keep close tags ?

Re: Dynamic content in CMS page

Posted: Wed Oct 09, 2013 7:00 am
by denis
The problem is due to antisamy-tinymce-1.4.4.xml, please may you tell me how to override this file?

Thanks

Re: Dynamic content in CMS page

Posted: Wed Oct 09, 2013 10:28 am
by phillipuniverse
@denis:

In your admin app context, include this:

Code: Select all

<bean id="blExploitProtectionService" class="org.broadleafcommerce.common.security.service.ExploitProtectionServiceImpl">
    <property name="antiSamyPolicyFileLocation" value="classpath:path/to/your/antisamy.xml" />
</bean>

Re: Dynamic content in CMS page

Posted: Wed Oct 09, 2013 4:48 pm
by denis
Thanks phillip i modified my antisamy pomicy to allow javascrit but closing tags are always removed from the BLCRichTextEditor by the way my problem is solved by keeping the antisamy policy. Thanks again