[Factory Configuration] AntiXssEncoder in Web.config

Forge Component
(24)
Published on 11 Sep (3 weeks ago) by OutSystems R&D
24 votes
Published on 11 Sep (3 weeks ago) by OutSystems R&D

Hi Team,

I want to add the below config settings in my outsystem application to resolve one of the security issue. Could you please suggest how this can be added using FactoryConfiguration.

<system.web>

<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" requestValidationMode="4.5"/>

</system.web>


Thanks and regards,

Kunal

Kunal Priyadarshi wrote:

Hi Team,

I want to add the below config settings in my outsystem application to resolve one of the security issue. Could you please suggest how this can be added using FactoryConfiguration.

<system.web>

<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" requestValidationMode="4.5"/>

</system.web>


Thanks and regards,

Kunal

Hi Kunal,

You can follow below forum discussion

https://www.outsystems.com/forums/discussion/34866/how-to-change-the-session-timeout-in-factory-configuration/


I hope it will help you!

Thanks

Hi Kunar,


I evaluated a couple years ago having the AntiXssEncoder by default in the platform and had to remove it.

It can break your pages since is very agressive and blocks some valid scenarios.

From our reasearch it did not protect againt any real vulnerability, only theoretical ones. It was decided it was not worth just to make a false positive detection on the scan software disappear.


Regards,

João Rosado

Thanks all for your reply.


Regards,

Kunal