avatar  


Recently viewed tickets

Log out

Restrict use of special characters

Purpose


How to Restrict the use of special characters < and >


Information

For general protection of XSS, it is now possible with the 9.3 release to restrict users from entering HTML tags in various fields.


To get a full view of the settings press the expert mode button from the GateManager Configuration.


Expert mode enables the sanitize input options


The sanitize input settings are accessible from the server configuration, GateManager configuration under miscellaneous. Click the edit button on the top to enable configuration.

From the 9.3 release, you can sanitize the input in various fields


The Sanitize Input options are:

• Disabled (Trust everyone) - Don't sanitize any input at all and allow everyone to enter HTML.

• Enforced (Trust no one) - Unconditionally sanitize all input fields.

• Trust Server Administrators - Allow only server administrators to enter and edit HTML.

• Trust Server and Distributor admins - Allow only server and distributor administrators to enter and edit HTML.

• Trust all administrators - Allow all administrator accounts to enter and edit HTML.


For most input fields, it is no longer possible to enter < or > characters, as they are force-replaced by [ and ] characters when GM's web the server parses the CGI parameters. Page 12 of 22

Since we still have to be able to upload binary files, edit HTML data, XML configurations, and allow cases where a mail address is written as "User Name <email@address>", input fields whose (internal) names start with "raw" will bypass the initial force-replace and will subsequently, be handled individually on an "as needed" basis.


This "as needed" is further restricted to selected groups of administrators (defined by their roles) via a new "Sanitize Input" expert mode parameter. By default, only the server administrator is allowed to use < or > in the non-restricted input fields (and thus edit HTML or upload binary files).

The only exceptions to this rule are:

• Configuration profiles are never sanitized (so any administrator can enter XML here).

• Any administrator can upload domain logo files (we don't support SVG logos, so it should be safe).

• User certificates used during login are never sanitized (they are binary files, and if they are to be saved in the browser, GM converts them to HEX, so no harm can be done through this).


The following Server Config input fields may still contain < ... > (all other settings cannot): *)

• Account Settings: Account Mail From, Blind Copy Mail Address

• Alert Settings: From Address, Blind Copy Mail Address

• Remote Service Agent: Contact


*) Note that only Server Admins can edit these settings.

The various files, scripts, and templates located under "Files" may still contain HTML code, but only editable for trusted accounts (Server Admin).

The Domain Messages can still contain HTML code - but only a trusted account (Server Admin) can enter and edit HTML messages. Other administrators are restricted to create text-only messages.

To completely disable all occurrences of < ... > in input fields, set sanitize_input = 0 in /gm/cloud.conf; by setting it here, it prevents

a logged in server administrator from changing the "Sanitize Input" setting to allow HTML.

Creation date: 27/10/2020 10:42 ()      Updated: 14/04/2021 12:56 (jmp@secomea.com)
Files   
DataImage17.png
50.2 KB resend
DataImage44.png
40.8 KB resend
DataImage6.png
61.4 KB resend
DataImage69.png
25.9 KB resend
DataImage94.png
80.7 KB resend