フィードバックを送信
legacy-knowledge-base
公開されました Jun. 30, 2025

LSV-1203 and LSV-1205 prevents Users from Including JavaScript in Rich Text Editor

投稿者

Daniel Martinez Cisneros

knowledge-article-header-disclaimer-how-to

knowledge-article-header-disclaimer

legacy-article

learn-legacy-article-disclaimer-text

(*) Internal article until the LSV-1203 and LSV-1205 information is available for external users in the Security Advisories section.

Issue

While updating to quarterly releases higher than 2024.Q1.3 or whatever version including a fix for the LSV-1203 or LSV-1205, users are no longer able to include JavaScript in the Rich Text field. The validation process will remove all XSS content, sanitizing the provided HTML.

Significant changes have been implemented in Cross-Site Scripting (XSS) validation within the rich text editor. The primary goal of this modification is to enhance the security of the content generated and published through this editor.

Environment

  • Versions including LSV-1203 or LSV-1205 , for example: 2023.Q4.9, 2024.Q1.3, 2024.Q2.0, 7.4.13-u113

Context

Previously, although it could be configured with Antisamy, there was no strict validation to prevent the inclusion of malicious XSS code in the HTML generated by the rich text editor.

After the fix for the LSV-1203 or LSV-1205,  XSS validations have been enabled by default in the rich text editor. This means the system now analyzes and filters the HTML content to identify and block any attempts to include malicious scripts sanitizing the html. This validation is essential to prevent XSS attacks, which can compromise the integrity of the application and the security of user data.

Resolution

Understanding that there may be specific scenarios where developers or system administrators require greater flexibility, a new property has been introduced, This property should be used with extreme caution and only in cases where the HTML content is known to be safe and controlled.

Disabling XSS validations can be useful in development environments or internal applications where the risk of malicious script inclusion is low, and greater freedom for entering HTML code is needed.

In some cases clients need to have the possibility to allow Javascript in their html content, besides that this is a potential risk, there is a way to disable XSS Validations. 

The manner to disable the validation is change the value of Feature Flag LPD-31212 from (Instance/System) Settings ->  Feature Flags > Release: 

To disable the validation: 

  • Change the value of Feature Flag LPD-31212 in (Instance/System) Settings -> Feature Flags -> Release: LPD-31212=true

  • Or including this properties in your portal-ext.properties: feature.flag.LPD-31212=true

In the case you don't see this Feature Flag, open a ticket to ask for a patch for LPD-31212

 

did-this-article-resolve-your-issue
legacy-knowledge-base
did-this-article-resolve-your-issue