How to enable sanitization for a cross-site scripting attack by default for KNIME Analytics Platform previous version.

Hi experts,
Our IT colleagues found that there is a security issue for KNIME analytics Platform based on latest security advisory:
"An unsafe default configuration in KNIME Analytics Platform before 5.2.2 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently. …

… However, these are off by default which allows for cross-site scripting attacks.

KNIME Analytics Platform 5.2.2 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor’s knime.ini."

Does anyone know how to configure the corresponding settings in knime.ini to enable sanitization?

Thanks in advanced!

1 Like

I tried to follow the instruction in web portal admin guide to add the following configuration:

-Djs.core.sanitize.clientHTML=true

But I am not sure how to verify it works.

1 Like

Does anyone know if this is an issue in the 4.7.2 version /release or only on the 5.2 version / release?

Hi Steven

It seems that all of the releases before 5.2.2 disable this setting by default so you need to enable this manually.

regards,
Wade

1 Like