Prevent Cross-Site Script attacks in ATG using SecurityServlet

Oracle ATG Web Commerce includes a component,  /atg/dynamo/servlet/dafpipeline/SecurityServlet, that monitors query parameters and stops processes if they appear suspicious. 

The SecurityServlet component uses the /atg/dynamo/servlet/security/ParameterValidator component to check query parameters.

The SecurityServlet component is enabled by default. You can disable it by removing /atg/dynamo/servlet/dafpipeline/SecurityServlet from the insertableServlets property of the /atg/dynamo/servlet/dafpipeline/DynamoHandler/ component.

 By default ParameterValidator  handle below.

1.  illegal html tags.
2.  illegal html attributes.
3.  Parameter values with illegal pattern.

You can enhance the handling of  the suspicious  parameters values (point 3 above) by configuring below property in ParameterValidator. 

Default illegal regex is

illegalRegexes=javascript\\s*:,(^|[^a-zA-Z])x\\s*:,vbscript\\s*:,/\\s*>,^\\s*>

Now add alert and expression. Then expression will be.

illegalRegexes=javascript\\s*:,(^|[^a-zA-Z])x\\s*:,vbscript\\s*:,/\\s*>,^\\s*>,alert(\\(|%28),expression(\\(|%28)