With the availability of the 18.104.22.168 update we now provide cross-site scripting protection. These instructions describe how to disable preview from the edit help item screen and the analytics screen using a Powershell cmdlet.
In order to facilitate the preview of a yet unsaved help item we pass the link property along the query string. Depending upon the viewer type, the query string could be rendered in such a way that a malicious user could use it to perpetrate a XSS attack.
Similarly, the analytics pages may provide the ability to preview a help item using the link property even if the original item may no longer exist. By disabling the preview feature the XSS vulnerability is no longer present.
- Deploy the 22.214.171.124 solution.
- Open the SharePoint Management Shell
- Run the following command:
Set-VisualSPSettings -DisablePreview $true
Go to Site Settings -> Manage VisualSP Help Items
Edit a Help item.
For Analytics, go to Site Settings -> View Analytics Report