Getting error messages from RESTful AtomPub bindings
The RESTful AtomPub binding of the IBM® ECM CMIS interface reports errors back to the application by using a MIME type of text/plain. If you get error messages that include the syntax similar to HTML, use HTML Encoding for the IBM ECM CMIS error messages before inserting it in your HTML web page.
Symptoms
Consider the following example URL:http://example.com/cmcmis/resources/$x!icmnlsdb/Checkedout/">
<script>alert(25686)</script>Using this URL returns the following error message:
com.ibm.ecm.cmis.exceptions.InvalidArgumentException: CIL1147: The URL of the request is not valid. URL: http://example.com/cmcmis/resources/$x!icmnlsdb/Checkedout/ Invalid portion of the URL: /"><script>alert(25686)</script>
Causes
For certain error messages, the detailed information about arguments or URLs that are not valid are included in the text of the error message to help with problem determination.
Resolving the problem
Administrator response: The error message itself is not
the problem. Some security validation tools, including Rational AppScan
interprets this response as a cross-site scripting vulnerability because
the text is not HTML Encoded. However, it is not a vulnerability because
web browsers do not run any code on documents with a MIME type of
text/plain. If your CMIS application is web-based, you might choose
to display this error message in an HTML web page. You must use HTML
Encoding for the IBM ECM CMIS error
messages before inserting it in your HTML web page. For example, a
portion of the URL in the error message must be written as
<script> instead
of <script>. Otherwise, your CMIS application
might be vulnerable to cross-site scripting attacks.