Home
Protecting against malicious active content
The active content filter prevents users from embedding malicious content in Communities input fields.
To edit configuration files, use the IBM WebSphere Application Server wsadmin client. See Start the wsadmin client for details.
Communities provides a filter that prevents users from using rich text descriptions with malicious scripts that are started when other users visit Communities. You can disable this filter to provide richer options for content in any Communities text input field.Disabling this filter introduces vulnerability to cross-site scripting (XSS) and other types of malicious attack. See Securing features from malicious attack for additional information.
To configure the active content filter...
- Use the wsadmin client to access and check out the Communities configuration files.
- Access the Communities configuration files:
- Stand-alone deployment:
execfile("communitiesAdmin.py")
- Network deployment:
execfile("WAS_HOME/communities/Dmgr01/config/bin_lc_admin/communitiesAdmin.py")
If you are asked to select a server, you can select any server.
- Check out the Communities configuration files...
CommunitiesConfigService.checkOutConfig("<working_directory>", "cell_name")where:
- <working_directory> is the temporary working directory to which the configuration XML and XSD files are copied. The files are kept in this working while you make changes to them.
- cell_name is the name of the WebSphere Application Server cell hosting the Lotus Connections feature. This argument is required even in stand-alone deployments. If you do not know the cell name, do one of the following to determine it:
- Stand-alone deployment: Look at the name after the following in the file system:
WAS_HOME\profiles\profile_name\config\cells\
- Network deployment: Type the following command while in the wsadmin command processor:
print AdminControl.getCell()
For example:
CommunitiesConfigService.checkOutConfig("/opt/my_temp_dir", "CommServerNode01Cell")
- Optional: To check the current setting of the active content filter property...
CommunitiesConfigService.showConfig()Look for the following property in the output that displays:
activeContentFilter.enabled = true
- To change the value of the active content filter property...
CommunitiesConfigService.updateConfig("<property>", "<value>")where
- <property> is one of the editable Communities configuration properties.
- <value> is the new value with which you want to set that property.
The following table displays information regarding the active content filter property and the type of data that you can enter for it.
The active content filter property
Property Description activeContentFilter.enabled When enabled, this property prevents the addition of active content (JavaScriptâ„¢, for example) to any Community text input field.
This property takes a Boolean value: true or false.
For example:
CommunitiesConfigService.updateConfig("activeContentFilter.enabled", "false")
- After making changes, check the configuration files back in, and do so during the same wsadmin session in which you checked them out for the changes to take effect. See Applying property changes for information about how to save and apply your changes.
Securing features from malicious attack
Related tasks
Related reference
Communities configuration properties