10-04-2019 3:32 PM - edited 02-03-2024 5:39 PM
To Dear Experts.
Most of recent e-commerce site support special charactor '#' in password field.
If I set 'xss.filter.enabled=false', then customers can use '#' special character in password field in hybris(SAP Customer Experience) .
But for security reasons, our team have to set 'xss.filter.enabled=true'.
What class or xss.filter.rule do remove '#' character from parameters?
How can I send '#' special character to controller when xss filter is on?
I'm going to try excluding specific filter using filterConfig, but I don't know what specific filter removes '#' character.
I read several threads already, but I coundn't find the clear answer yet.
1. https://answers.sap.com/questions/12758960/view.html
2. https://answers.sap.com/questions/12722914/bug-in-username-login-page-hybris-version-68.html
3. https://hybrismart.com/2018/04/14/five-things-about-sap-hybris-you-probably-didnt-know/
Thank you for taking the time to read this thread 🙂
Have a nice weekend!
I founded a clue from another question.
https://answers.sap.com/questions/12768653/hashtag-in-passoword.html
I did comment out xss.filter.rule.javascript2=(?i)\\u0023 and '#' character in password worked fine.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
5 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.