topic Alfresco and cross-site attack in Alfresco Archive https://connect.hyland.com/t5/alfresco-archive/alfresco-and-cross-site-attack/m-p/108082#M75749 <HTML><HEAD></HEAD><BODY><SPAN>I am able to upload the following HTML document in Alfresco which may contain some malicious Javascript:</SPAN><BR /><BR /><SPAN>&lt;html&gt;</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&lt;head&gt;</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&lt;/head&gt;</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp;&lt;body&gt;</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;script type="text/javascript"&gt;</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;alert("You have been XSS attacked!");</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/script&gt;</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&lt;/body&gt;</SPAN><BR /><SPAN>&lt;/html&gt;</SPAN><BR /><BR /><SPAN>Users who view this HTML document may inadvertently execute malicious JavaScript code in the background.&nbsp; I am wondering what can be done to prevent this in Alfresco (1.3).</SPAN></BODY></HTML> Mon, 09 Apr 2007 15:24:33 GMT warrenzhai 2007-04-09T15:24:33Z Alfresco and cross-site attack https://connect.hyland.com/t5/alfresco-archive/alfresco-and-cross-site-attack/m-p/108082#M75749 I am able to upload the following HTML document in Alfresco which may contain some malicious Javascript:&lt;html&gt;&nbsp;&nbsp;&nbsp;&lt;head&gt;&nbsp;&nbsp;&nbsp;&lt;/head&gt;&nbsp;&nbsp;&nbsp;&lt;body&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;script type="text/javascript"&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;alert("You have been XSS attacked!");&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/script&gt;&nbsp;&nbsp;&nbsp;&lt;/body&gt;&lt;/html&gt; Mon, 09 Apr 2007 15:24:33 GMT https://connect.hyland.com/t5/alfresco-archive/alfresco-and-cross-site-attack/m-p/108082#M75749 warrenzhai 2007-04-09T15:24:33Z Re: Alfresco and cross-site attack https://connect.hyland.com/t5/alfresco-archive/alfresco-and-cross-site-attack/m-p/108083#M75750 <HTML><HEAD></HEAD><BODY><BLOCKQUOTE class="jive-quote">I am able to upload the following HTML document in Alfresco which may contain some malicious Javascript:<BR /><BR />&lt;html&gt;<BR />&nbsp;&nbsp;&nbsp;&lt;head&gt;<BR />&nbsp;&nbsp;&nbsp;&lt;/head&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&lt;body&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;script type="text/javascript"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;alert("You have been XSS attacked!");<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/script&gt;<BR />&nbsp;&nbsp;&nbsp;&lt;/body&gt;<BR />&lt;/html&gt;<BR /><BR />Users who view this HTML document may inadvertently execute malicious JavaScript code in the background.&nbsp; I am wondering what can be done to prevent this in Alfresco (1.3).</BLOCKQUOTE><BR /><SPAN>You can write an action that executes when content is added to a space.&nbsp; That action can filter for whatever you think could cause harm.</SPAN></BODY></HTML> Mon, 16 Apr 2007 06:10:42 GMT https://connect.hyland.com/t5/alfresco-archive/alfresco-and-cross-site-attack/m-p/108083#M75750 rdanner 2007-04-16T06:10:42Z