13.7.2 Option 2: Filtering

By default, the XSS detection filter is enabled in Identity Server’s web.xml file.

For information about how to open and modify a file, see Modifying Configurations.

The filter is as follows:

<filter>
             <filter-name>XSSDetectionFilter</filter-name>
             <filter-class>com.novell.nidp.servlets.filters.xss.XSSDetectionFilter</filter-class>
             <description>This filter is used to detect XSS attacks in NIDS</description>
             <init-param>
               <param-name>active</param-name>
                  <param-value>True</param-value>
               </init-param>
             <init-param>
                    <param-name>level</param-name>
                  <param-value>SCRIPT_TAGS</param-value>
              </init-param>
            <init-param>
                    <param-name>exclude</param-name>
                  <param-value>soap,wstrust,metadata,oauth</param-value>
              </init-param>
</filter>

To disable it, set the <param-value> True to False as follows:

<init-param>
        <param-name>active</param-name>
      <param-value>False</param-value>
</init-param>

To exclude it from a specific request, add a URL string from that request in the <param-name>exclude</param-name> tag that contains the default excluded request path name.

For example: If wsfed request fails due to some reason, add wsfed in the exclude list. Now, Identity Provider will not filter wsfed specific requests.The exclude init-param is as follows:

<init-param>
       <param-name>exclude</param-name>
   <param-value>soap,wstrust,metadata,oauth,wsfed</param-value>
  </init-param>

This approach might have a minor performance impact due to the checks it performs. If you perform HTML escaping in customized JSP pages, you do not need to perform this additional filtering.

Perform the followings steps to sanitize Identity Server’s customized JSP file: