IBM Business Process Manager


BPM 8.0.0 - Event Manager- IE throwing XSS(Cross site Scripting error)


I executed the below code in IE, and it's throwing XSS error !!!! Any ideas?
IE message : " IE had modified this page to help to prevent Cross-site-scripting"
Code:
<form action="http://localhost:2809/eventmgr/httpcontroller/SendEvent" method = "post">
<textarea name = "eventmsg" rows="20" cols="80">
<eventmsg>
<event processApp="XTA" ucaname="XYX Event UCA" >XYX Event Process</event>
<parameters>
<parameter>
<key>eventMessage</key>
<value>This is test Event message</value>
</parameter>
</parameters>
</eventmsg>
</textarea>
<input type = submit value="Submit" >
</form>
The rules of a browser are that it can only send data back to the Web Server (host and port) from which the page being shown was itself sourced from.
In your form, it looks like you are trying to send "form" data (HTTP POST) to : http://localhost:2809. I think it unlikely that is where your web page itself was served from.
Neil
kolban
1000000446
‏2012-12-10T16:24:02Z
The rules of a browser are that it can only send data back to the Web Server (host and port) from which the page being shown was itself sourced from.
In your form, it looks like you are trying to send "form" data (HTTP POST) to : http://localhost:2809. I think it unlikely that is where your web page itself was served from.
Neil
More...
I have this test HTML page on my desktop (localhost).
Is it making any sense?
kolban
1000000446
‏2012-12-10T16:24:02Z
The rules of a browser are that it can only send data back to the Web Server (host and port) from which the page being shown was itself sourced from.
In your form, it looks like you are trying to send "form" data (HTTP POST) to : http://localhost:2809. I think it unlikely that is where your web page itself was served from.
Neil
More...
I have this test HTML page on my desktop (localhost). And the Process Center is also installed locally.
Is it making any sense?
SystemAdmin
110000D4XK
‏2012-12-10T18:27:11Z
I have this test HTML page on my desktop (localhost). And the Process Center is also installed locally.
Is it making any sense?
More...
I don't believe it matters if the page is loaded from an HTML file on the desktop. Browser rules should still apply. An attempt to access a location other than the one that served up the original page should be denied.
Have a google on the phrase "Same origin policy"
see also:
http://en.wikipedia.org/wiki/Same_origin_policy
Neil
kolban
1000000446
‏2012-12-10T19:22:37Z
I don't believe it matters if the page is loaded from an HTML file on the desktop. Browser rules should still apply. An attempt to access a location other than the one that served up the original page should be denied.
Have a google on the phrase "Same origin policy"
see also:
http://en.wikipedia.org/wiki/Same_origin_policy
Neil
More...
Resolved!!!
Changed the URL to point to PORT# 9080.
SystemAdmin
110000D4XK
‏2012-12-12T20:32:43Z
Resolved!!!
Changed the URL to point to PORT# 9080.
More...
Can you please share the resolution? We are also facing the same issue. Here is the html form details along with event message.
<html><head><form action=https://<server>:<port>/eventmgr/httpcontroller/SendEvent method = "post">
<TEXTAREA rows=20 cols=80 name="eventmsg">
<eventmsg><event ucaname="UCAVal" processApp="xxxxE">770911d6-1fb3-44a3-8f8a-90dd1e81eff9</event><parameters><parameter><key>RefNumber</key><value>XX2345</value></parameter></parameters></eventmsg>
</TEXTAREA>
<input type = submit>
</form></head></html>
Once submitted, I see the token has not moved out from IME, and get a response back on form action as "FAIL" in browser.

Related Links

Help with Selecting value from DatePicker in dojo
Duplicate Entries in Process Designer
Process Portal Collaberation Feature Not Working
CV - share data in coachview behaviours
CWLLG0371W: There is no script content.
Building a Mobile App in IBM BPM 8.5
IBM BPM on SQL Server 2008r2 on Windows 2008r2
US Phone CV with Validation
No vertical scroll even if my coach height exceeds screen
deployed processes can\'t be invoked after system detects inacitivy for a certain amount period
IBM BPM 8.0.1 and Admin console Cache
How to Call REST Api through Process Designer?
this.context is null BPM 8.0.1.1
KPI information
add holiday schedule
Cannot Create User From ProcessAdmin Console in IBM BPM 8.5

Categories

DW
Compiler Cafe
dW China
IBM ILOG
Cognos
AIX and Linux
Weblogs
IBM Software Defined N...
i2 Software
Linux on Power Community
IBM Verse
IBM Web Mail Cloud
IBM ECM System Monitor
IBM Kenexa Talent Mana...
Cloud DevOps
Cloud assurance
IBM SmartCloud Applica...
Real Estate Management
Environmental and Ener...
IBM Tivoli Monitoring ...
Endpoint Protection
General Discussion
Web Reports and Custom...
Fixlet Authoring
iPhone Mobile Apps
Managed File Transfer
Cast Iron Web Manageme...
Cast Iron Documentation
RPG Cafe
IBM ILOG Elixir
Cognos Series 7
IBM Cognos 8 BI Develo...
ISV und Entwickler For...
TSM FastBack Latinoamé...
WebSphere
Open Source
IBM Rational Rhapsody
Development Tools (RAD...
xml
autonomic
linux
Lotus Brasil
Retail
Fabrication and Assembly
Education and Learning
OpenCL Development Kit...
RSDC
All blogs
AIX and UNIX
Eserver
Power Architecture
Report abuse
IBM DB2 Recovery Exper...
DB2 Temporal
DB2 for Linux, UNIX, a...
IBM Toolbox for Java a...
IBM I BRMS
BigFix App for QRadar ...
Digital Advertising
IBM Business Process M...
IBM HTTP Server
IBM Web Experience Fac...
WebSphere DataPower XC...
Policy Tester
AppScan Standard
X-Force
IBM Cloud Identity
DSM Extensions, Custom...
Mobile Store Channel
Performance Tuning
Multi-Channel Fullfill...
Mobile Store Channel
Connect:Enterprise Mai...
Selling System Release...
C3 Analyzer Installation
Test Area
SDK Tools & Utilities
SDK Tools & Utilities
How To's
Error Messages
Yard Management
Logistics
Distributed Order Mana...
DB2
WebSphere
OPL using CPLEX Optimizer
JRules BPM/SOA Integra...
SAP
Activities
IBM MapReduce Tools fo...
Replication Monitoring...
Netcool OMNIbus
IBM Platform MPI Commu...
IBM i
Web 2.0 Apps
PowerVM Forum
AIX Networking
HPC Central Technical ...
System x Server
IBM Flex Systems
Lotus Forms
Lotus ActiveInsight an...
IBM Customer Experienc...
Multithreaded Java pro...
Java filter
IBM SCORE

Resources

Encrypt Message



code
soft
python
ios
c
html
jquery
cloud
mobile