How to enable sanitization for a cross-site scripting attack by default for KNIME Analytics Platform previous version.

WadeLo · February 22, 2024, 8:10am

Hi experts,
Our IT colleagues found that there is a security issue for KNIME analytics Platform based on latest security advisory:
"An unsafe default configuration in KNIME Analytics Platform before 5.2.2 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently. …

… However, these are off by default which allows for cross-site scripting attacks.

KNIME Analytics Platform 5.2.2 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor’s knime.ini."

Does anyone know how to configure the corresponding settings in knime.ini to enable sanitization?

Thanks in advanced!

WadeLo · February 22, 2024, 8:41am

I tried to follow the instruction in web portal admin guide to add the following configuration:

-Djs.core.sanitize.clientHTML=true

But I am not sure how to verify it works.

StevenLauretti · February 22, 2024, 7:09pm

Does anyone know if this is an issue in the 4.7.2 version /release or only on the 5.2 version / release?

WadeLo · February 23, 2024, 1:05am

Hi Steven

It seems that all of the releases before 5.2.2 disable this setting by default so you need to enable this manually.

regards,
Wade

system · May 23, 2024, 1:06am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.