|
| hi Jerome
when i change to false
security.css.protection = false
other Problems:
Disabling CSS is done at the portal level and not just the portlet level. While it might be convenient to disable the CSS protection in some circumstances, it exposes a potential vulnerability when passing form input into a Web application. Some secure pr
ograms could unwittingly accept data from an untrusted user (the attacker) and pass that data on to a different user's application (the victim). If the secure program does not protect the victim, the victim's application (in this case, his or her Web brow
ser) can then process that data in a way harmful to the victim.
This is a particularly common problem for web applications using HTML or XML, where the problem is known by several names including "cross-site scripting," "malicious HTML tags," or "malicious content," and can happen on SSL and non-SSL connections. Witho
ut CSS security protection, the hacker could gain complete access to some pages. Here are some of the problems associated with not implementing this security feature:
SSL-encrypted connections might be exposed
Attacks might be persistent through poisoned cookies
Attacker might access restricted web sites from the client
Domain-based security policies might be violated
Use of less-common character sets might present additional risk
Attacker might alter the behavior of forms
my doubt is what should i do for this.i need security also.
|
|