Properties to Prevent Cross-Site Script Vulnerabilities

In some cases, data to and from Sterling B2B Integrator can contain HTML characters that impact the display and the original intent of the input. In addition, data can be input that contains malicious HTML, such as commands embedded within <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED> tags.

CAUTION:

Change only the properties referred to in this section. Changes to any other properties for the purpose of preventing cross-site vulnerabilities are not supported.

The yfs.htmlencoding.triggers property in the yfs.properties.in file specifies the following characters that could signify potentially unsafe HTML content:

Greater than symbol ( > )
Less than symbol ( < )
Right parenthesis ( ) )
Right bracket ( ] )

If needed, you can add any other characters necessary for your specific implementation to the customer_overrides.properties file.

If information being written to the browser contains any of these characters, the output is safely encoded to prevent exploitation of cross-site scripting vulnerabilities.

For more detailed information about malicious scripts, see the following articles, which are available by searching the Internet:

CERT Advisory, Malicious HTML Tags Embedded in Client Web Requests.
CERT Advisory, Frequently Asked Questions About Malicious Web Scripts Redirected by Web Sites.