We are using Lotus Notes technology for web application development. In order to make our application more secured, we are trying to fix some security level issues. One such issue that we are trying to fix is : Cross Site Scripting.
Here are the issue details. As part of application functionality data is getting processing from one web page to other web page to full fill the workflow process. During the process of data we require help to handle richtext fields data form special characters () to provide the security for hacking at third party level becuse our application is public domain.
Cross Site Scripting vulnerability is one that enables a hacker to place client side scripts (usually JavaScript) into web pages. XSS vulnerabilities generally occur when an application takes user input and outputs it in a page without validating, encoding or escaping it.
We are trying to solve the above issue for CKeditor (Third party tool) being used in our application. The CKeditor contains Richtext field data. We are unable to handle the request from backend to prevent the hacker from altering the request parameters.
For your kind information, We are using the domino Release 9.0.1 FP4 on windows/Longhom 6.2 intel and the version of CKeditor is 4.4.6. We searched online for various solutions for handling xss for rich text field(ck Editor) but could not find any. We also saw that CK Editor upgraded versions do not provide any fix for the XSS issue.
Kindly please provide a code level help to handle this issue to fix the XSS vulnerability?
Look at Content Filtering (ACF):
https://ckeditor.com/docs/ckeditor4/latest/guide/dev_acf.html
Related
I want to let my users post articles on my website but i have serious concerns about ckeditor security.
What i want to ask is:
Can users upload any kind of codes that can put my site at risk through ckeditor?
Is there any way to limit users of those kind of actions?
About my application:
I'm using laravel 5.6 and ckeditor last version.
Please share your thoughts and experiences.
CKEditor is not insecure on purpose. No sense in developing an insecure product (except for educational purposes). It doesn't allow uploading executable content (as a feature). However, it does have a history of publicly exploited vulnerabilities, mostly due to it's handling of wide variety of user input that will be stored in user accessible locations/paths.
Nonetheless, you can still mitigate it's risks substantially if you simply restrict the paths which allow web app execution (php, asp, etc...).
PHP example:
Create an .htaccess file in the dir where ckeditor places it's user generated/uploaded data. Inside that file place the following:
php_flag engine off
There are additional methods to achieve this, which depend on your specific environment. But the main idea remains - block execution abilities in the target dir for user content/uploads, and watch out for security updates for all your components.
One last note - the best practice to avoid users uploading executable content would be to store in a non-web-exposed location. I would even advise outside of the web served root dir. This also would help to prevent a big portion of path traversal vulnerabilities. But specifically for CKEditor type of plugin it makes the solution much more complicated, since that content needs to be accessed by web users (by design!).
[Disclaimer: I am new to Notes, and am picking up a project that was started by someone else, so I'm not sure if this is the best approach, and with that out of the way ....]
We have a Notes 9.0 frameset, which is being driven by a couple of databases. There are 4 parts to the frame set, with the primary one being the selection of a client. This populates the second frame with their information, and the third frame with any related clients - such as business partners, associates, etc. The fourth frame would be any and all correspondence listed with the related clients (either one or many) which has been placed into an XPage. We cannot, though, load the XPage inside the frame, having tried multiple instances of .urlopen(XPage location) and trying to open the notes:// source, http:// source, and setting the target frame in both the inline URL and as a .SetTargetFrame("frame") fashion.
Is it possible to open an XPage from with a Frameset, or is there a better approach to this?
Thanks
Integrating or embedding XPages into a traditional Domino web application is a common approach and straightforward because it's the same protocol with the same authentication. Integrating XPages into a standard Notes Client design element is challenging for a variety of reasons, not just the URL required but also because authentication to the client is via Notes ID stored on the PC, authentication to the XPage is via HTTP protocol.
If you're wishing to display a list of the correspondence in a standard Notes frameset in the Notes Client, the approach I'd take is just to point to a View or embedded view set to a single category based on the client selected. If it's a server within a decent connectivity range, view performance will be better. If it's just a list, the data should be available for a view. If it's to navigate into the documents and you want to open the correspondence in an XPage, that's achievable from a view by setting the property on the Form to open in a specific XPage.
I'm not certain, but it sounds like your choice to use the XPage was because someone had already developed an XPage of that information for web access, possibly for the external clients themselves. While re-using the previous code may seem a good approach, the challenges of integrating one technology into another (as you see) counter the benefits.
This isn't about XPages itself, it's about embedding technologies that are not really designed for that level of integration. Similarly if the correspondence was an Angular front end using REST services to pull the information from Domino, you would have similar issues integrating it into the Notes Client application (authentication, running code on the client to run code on the server to get data for the client to process - when Notes is already designed for good nrpc communication).
There may be benefits in time of migrating all of the frameset to an XPages application or a specific set of use cases that won't require users switching between browser client and Notes Client. But if that's not the approach for now, integrating the XPage into the frameset is likely to be a challenge, no least in terms of look and feel, that may not result in a good user experience.
You can integrate an XPage into a Notes client, but it will require to learn about a number of moving parts. Instead of a Frameset you would use a composite application (same idea, more possibilities) and show various composites: Views, Forms, Pages, XPages, Navigators etc.
However you might consider reversing the process. When the XPages application in the browser works well, you could use the XPiNC feature (XPages in Notes Client) to show the same UI in the Notes client (presuming you have a current Notes version).
You will find some articles here: https://www-10.lotus.com/ldd/ddwiki.nsf/xpSearch.xsp?searchValue=%20XPages%20in%20the%20Notes%20client
My thought: what possibly makes you problems opening XPage in frameset (either with http:// or notes:// protocols) is incompatible browser (that one in client).
You can workaround this problem if you do not need all the bells & whistles of standard XPage - Dojo, events, themes...
So, what about making that XPage as simple as possible: make it stateless, disable Dojo, do not use any events (buttons, actions), in other words just plain HTML/CSS with no JS. That should work inside frameset. All the backend stuff - SSJS, datasources and so on is OK, of course.
Edit: another hint to make it work inside frame/internal browser. Sometimes XPage fails in XPiNC mode because of wrong datasource definition. When viewed from http of Domino server, all local databases are the server ones. But in XPiNC all local databases are treated as local replicas (usually nonexistent) and therefore fail to open. Possible solution:
run XPages from server (https://superuser.com/a/586602/17277)
redefine datasource: include server name in database property (hint: remember server!!database.nsf convention)
That's just a hint, I am not sure it will work for you.
I want to understand why client side rendering makes it bad for SEO? Are there any articles about this? Isn't the data rendering already from the server and it's just a matter of making it look like anything we want in JavaScript, how will this affect SEO?
Thank you.
The simple answer is that when you render the site with JavaScript you require JavaScript to see the page, right? Well, Google bots don't run JavaScript so in the best case they'll just see plain text.
Nothing wrong with plain text though. The most important thing is that the same info is on the page even without JavaScript.
Can you be more specific on how you planning to implement client side rendering?
Why would you like to use SEO for a SharePoint site?
SharePoint has already a very good native search engine.
Please take in count that using sharepoint as a public website is no longer recommended, furthermore Microsoft and any SP professional will discourage you from using it in that way. Microsoft has already dropped the public website feature from SharePoint Online (Office 365), and as you may know the current Microsoft strategy is “Cloud first, Mobile first” so you can expect that in the middle term most of the ways and patterns will be equivalent in SP Online and SP on-premise. So I'm not saying that you can't do this with a SharePoint server exposed to internet, however you shouldn't continue doing it, considering that you can use web services to call/get sharepoint content from any other web platform in case you need to publish some sharepoint content in a public website.
http://support.microsoft.com/en-us/kb/3027254/en-us
https://www.linkedin.com/pulse/sharepoint-public-website-platform-any-more-marwan-tarek
Can someone explain to me the potential security vulnerabilities associated with having * for the Cordova/PhoneGap url whitelist i.e. allowing all urls?
I just read an article and I think you would be interesting on it. Just check it out:
http://www.nerdybeardo.com/2013/11/phonegap-xss-vulnerabilities-visited/
It just means that your app will trust all external hosts and be able to communicate with them. You'll just have to make sure that your app does not make it easy for users to follow links or input data that could be dangerous.
If you can get away with having to use * that would be best but if you are doing something like a RSS reader then I can't see any other way.
I work for an organisation that needs secure mobile apps and we've ruled out Phonegap / Cordova because of security concerns. Cordova provides a javascript API that allows you to control most of the phone's hardware and major OS components. A web view allows you to load script from anywhere that could then call those API's. Here's a simple example :-
My HTML5 Phonegap app embeds a web page from my forum site to provide some social content,
My forum site has poor controls against cross-site scripting,
A bad guy posts a forum post that embeds some javascript that calls the Cordova API's to get AddressBook contacts,
You view the post on my app and now the bad guy has all of your contacts.
The app itself or any content that it consumes could have an XSS vulnerability that makes the phone wide open.
There are also several other attacks that could be done on the phone itself, particularly if the phone is jailbroken and the JS content of the app can be modified.
Does anyone have tips or an ebook that can give me a good foundation on how to create applications in lotus notes using web browsers instead of clients. Links or tips are much appreciated.
Thanks!
Books are a good starter. But you'll find there is alot more to it than you see in books. So, here is a quick list of places to look.
Books
You've got these options for books (all downloadable as eBooks to)
Classic Web development prior to Notes 8.5 -- Reviews here and here
Latest Web stuff with Xpages if you have Notes 8.5+ (kindle/paper)
There are IBM wiki's (html). But have found the IBM wiki experience underwhelming. (The adjectives "half-ar$ed" and "piece-meal" comes to mind alot when reading these.)
IBM's redbook site (pdf/html) has better produced content than the wiki's.
Sites
One of the best web development tip/technique sites for the trickier problems is codestore.net and nsftools.com
OpenNtf a well used site for free code and solutions written by alot of smart people.
Quite a few good bloggers have "coagulated" on planetLotus
Try Searching for XPages in Google. Or start here
If you enable http on the server, you should be able to see your domino applications from the web. You then need to modify them to make them a bit more web friendly. The basic technique for this is to have 2 design elements with the same alias, hide one from notes and the other from the web. This will make it a bit easier to make it functional from both the client and the web browser.
Other functionality which makes this a bit easier would be 'Pass through HTML', the Domino CGI Variables and the 'WebQueryOpen' and 'WebQuerySave' events. As Jasper points out, XPages is the new sparkling way to do this, but it might not be an option for existing systems (It requires the latest version of Domino server). Good Luck!
What version of Domino are you running? If it's an 8.5 variant, I would suggest you use XPages to bring your old client apps to the web (XPages are not an option in releases prior to 8.5).
As to how you go about this, that's well beyond the scope of an answer on Stack Overflow: it's a book in and of itself! To learn about web development with XPages, I suggest visiting some of the well-known sites out there, and perhaps picking up a course or two. Here are some links:
http://xpages101.net
http://www.qtzar.com/blogs/qtzar.nsf/htdocs/LearningXPages.htm
http://notesin9.com/
(Also, IBM publish a book on XPages development, although I've not read it).
With regards "classic" Domino development, your best bet is to view your existing Notes app in a web browser and then start hacking on the default HTML generated (which is nasty). The best single resource out there for classic Domino web development tips and hacks is Jake Howlett's Codestore
Start small, build yourself a small database with a subset of data and explore what you can do. I've been a notes client developer for 10+ years and doing domino web work for last three or four years and still on steep learning curve. Its a very powerful platform but you also need to know html as on many occasions the html that you see in the browser helped me pin down the faults in my application code.