Cross-Site Scripting (XSS) Protection

Applies to: VisualSP On-Premises
Print Friendly, PDF & Email

With the availability of the 5.5.9.0 update we now provide cross-site scripting protection. These instructions describe how to disable preview from the edit help item screen and the analytics screen using a Powershell cmdlet. 

Summary: 

In order to facilitate the preview of a yet unsaved help item we pass the link property along the query string. Depending upon the viewer type, the query string could be rendered in such a way that a malicious user could use it to perpetrate a XSS attack.  

Similarly, the analytics pages may provide the ability to preview a help item using the link property even if the original item may no longer exist. By disabling the preview feature the XSS vulnerability is no longer present. 

Steps: 

  1. Deploy the 5.5.9.0 solution. 
  1. Open the SharePoint Management Shell 
  1. Run the following command: 

Set-VisualSPSettings -DisablePreview $true 

Expected Results

Go to Site Settings -> Manage VisualSP Help Items

Edit a Help item.

Before:

After:

For Analytics, go to Site Settings -> View Analytics Report

Before:

After:

Updated on October 17, 2018

Related Articles