The
active content filter prevents users from embedding
malicious content in Communities input fields.
Before you begin
To
edit configuration files, you must
use the IBM® WebSphere® Application Server wsadmin client.
See Starting the wsadmin
client for details.
About this task
Communities provides
a filter that prevents users from
using rich text descriptions with malicious scripts that are started
when other users visit Communities. You can disable this filter to
provide richer options for content in any Communities text input field.
Note: Disabling
this filter introduces vulnerability to cross-site scripting (XSS)
and other types of malicious attack. See Securing applications
from malicious attack for additional information.
Procedure
To configure the active content filter, complete
the
following steps.
- Start the wsadmin client from the following
directory of the system on which you installed the Deployment Manager:
app_server_root\profiles\dm_profile_root\bin
where app_server_root is
the WebSphere Application
Server installation directory and dm_profile_root is
the Deployment Manager profile directory, typically dmgr01.You
must start the client from this directory or subsequent commands that
you enter do not execute correctly.
- Start the Communities Jython script interpreter.
- Use the following command
to access the Communities configuration files:
execfile("communitiesAdmin.py")
If
prompted to specify a service to connect to, type 1 to pick the first
node in the list. Most commands can run on any node. If the command
writes or reads information to or from a file using a local file path,
you must pick the node where the file is stored.
- Check out the Communities
configuration files using the following command:
CommunitiesConfigService.checkOutConfig("working_directory",
"cell_name")
where:
- working_directory is the temporary working
directory to which the configuration XML and XSD files are copied.
The files are kept in this working directory while you make changes
to them.
Note: AIX®, Linux , and IBM i only: The directory must
grant write permissions or the command will not run successfully.
- cell_name is the name of the WebSphere Application Server cell hosting
the IBM Connections application.
This argument is required. If you do not know the cell name, you can
determine it by typing the following command in the wsadmin command
processor:
print AdminControl.getCell()
For example:
CommunitiesConfigService.checkOutConfig("/opt/my_temp_dir", "CommServerNode01Cell")
- Optional: To check the current
setting of the
active content filter property, use the following command:
CommunitiesConfigService.showConfig()
Look
for the following property in the output that displays:activeContentFilter.enabled = true
- If you want to change the value of the active content
filter
property, use the following command:
CommunitiesConfigService.updateConfig("property",
"value")
where- property is
one of the editable Communities
configuration properties.
- value is
the new value with which you
want to set that property.
The following table displays
information regarding the active
content filter property and the type of data that you can enter for
it.
Table 1. The active content filter propertyProperty |
Description |
activeContentFilter.enabled |
When enabled, this property prevents the addition
of active content (JavaScript,
for example) to any Community text input field. This property takes
a Boolean value: true or false.
|
For example:
CommunitiesConfigService.updateConfig("activeContentFilter.enabled", "false")
- After making changes, you must check
the configuration
files back in, and you must do so during the same wsadmin session
in which you checked them out for the changes to take effect. See Applying
property changes in Communities for information about how to
save and apply your changes.