XSS Protect enables analyzing all saved content in DB and if registers some dangerous XSS code for attack, NSP will process XSS function and tags will be stripped from html.
XSS Protect is disabled by default and customers need to enable XSS Protect inside localSite.config. This function must be enabled for all sites to work, NSP.RestApi, NSP.Web, NSP.SSP, NNS Integration and Maintenance Host.
<add key="XssProtect" value="true"/>
If this key does not exist in localSite, state is false by default. By default, this key is not delivered in localSite config.
XSS Protect works in this way. NSP does Sanitize text for all saved content in DB.
By default, we have support for set of allowed tags, if you want to add extra tags they can do in localSite.config
Keys: XssProtectAllowedTags, XssProtectAllowedSchemes, XssProtectAllowedAttributes, XssProtectAllowedClasses, XssProtectAllowedCssProperties, XssProtectAllowedIframeUrls
Value is with ;
Example:
<add key=" XssProtectAllowedTags" value="extratag1;extratag2;extratag3"/>
To configure allowed URLs for iframes, for example, upload video youtube, it is necessary to add the allow list domain. in the following way:
<add key="XssProtectAllowedIframeUrls" value ="youtube.com"/>
When you have some text for example in ticket description and if contains dangerous XSS code, NSP will process XSS and tags will be stripped from html.
By default, list below is included:
Tags allowed by default
a, abbr, acronym, address, area, article, aside, b, bdi, big, blockquote, br, button, caption, center, cite, code, col, colgroup, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hr, i, img, input, ins, kbd, keygen, label, legend, li, main, map, mark, menu, menuitem, meter, nav, ol, optgroup, option, output, p, pre, progress, q, rp, rt, ruby, s, samp, section, select, small, span, strike, strong, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, tt, u, ul, var, wbr, iframe
Attributes allowed by default
abbr, accept,
accept-charset, accesskey, action, align, alt, autocomplete, autosave, axis,
bgcolor, border, cellpadding, cellspacing, challenge, char, charoff, charset,
checked, cite, clear, color, cols, colspan, compact, contenteditable, coords,
datetime, dir, disabled, draggable, dropzone, enctype, for, frame, headers,
height, high, href, hreflang, hspace, ismap, keytype, label, lang, list,
longdesc, low, max, maxlength, media, method, min, multiple, name, nohref,
noshade, novalidate, nowrap, open, optimum, pattern, placeholder, prompt,
pubdate, radiogroup, readonly, rel, required, rev, reversed, rows, rowspan,
rules, scope, selected, shape, size, span, spellcheck, src, start, step, style,
summary, tabindex, target, title, type, usemap, valign, value, vspace, width,
wrap
CSS properties allowed by default
background,
background-attachment, background-clip, background-color, background-image,
background-origin, background-position, background-repeat, background-repeat-x,
background-repeat-y, background-size, border, border-bottom,
border-bottom-color, border-bottom-left-radius, border-bottom-right-radius,
border-bottom-style, border-bottom-width, border-collapse, border-color,
border-image, border-image-outset, border-image-repeat, border-image-slice,
border-image-source, border-image-width, border-left, border-left-color,
border-left-style, border-left-width, border-radius, border-right,
border-right-color, border-right-style, border-right-width, border-spacing,
border-style, border-top, border-top-color, border-top-left-radius,
border-top-right-radius, border-top-style, border-top-width, border-width,
bottom, caption-side, clear, clip, color, content, counter-increment,
counter-reset, cursor, direction, display, empty-cells, float, font,
font-family, font-feature-settings, font-kerning, font-language-override,
font-size, font-size-adjust, font-stretch, font-style, font-synthesis,
font-variant, font-variant-alternates, font-variant-caps,
font-variant-east-asian, font-variant-ligatures, font-variant-numeric,
font-variant-position, font-weight, height, left, letter-spacing, line-height,
list-style, list-style-image, list-style-position, list-style-type, margin,
margin-bottom, margin-left, margin-right, margin-top, max-height, max-width,
min-height, min-width, opacity, orphans, outline, outline-color, outline-offset,
outline-style, outline-width, overflow, overflow-wrap, overflow-x, overflow-y,
padding, padding-bottom, padding-left, padding-right, padding-top,
page-break-after, page-break-before, page-break-inside, quotes, right,
table-layout, text-align, text-decoration, text-decoration-color,
text-decoration-line, text-decoration-skip, text-decoration-style, text-indent,
text-transform, top, unicode-bidi, vertical-align, visibility, white-space,
widows, width, word-spacing, z-index
CSS at-rules allowed by default
namespace,
style
URI schemes allowed by default
http, https, nsp,
mailto, data
Default attributes that contain URIs
action,
background, dynsrc, href, lowsrc, src