Prevent cross-site scripting (XSS)

By using the upload document function, an attacker could potentially upload an HTML page to TeamForge that contains active code, such as JavaScript. This active code would then be executed by clients' browsers when they view the page.

To prevent an attack of this sort, you can specify whether or not HTML code is displayed in CollabNet TeamForge. This flag applies to all documents, tracker, task, and forum attachments, and files in the file release system.
  1. Set the SAFE_DOWNLOAD_MODE token according to your requirements. For more information, see SAFE_DOWNLOAD_MODE.
  2. Deploy services.
    1. Move all backup files and folders including the error folder to /tmp.
      Note: This step is required to make sure that there are no backup files and folders present in /opt/collabnet/teamforge/var/james/var/mail/ to avoid any delay during provisioning.
      • cd /opt/collabnet/teamforge/var/james/var/mail/
      • mv * /tmp
    2. Run the TeamForge provision command.
      • /opt/collabnet/teamforge/bin/teamforge provision

    The "provision" command prompts for response before it bootstraps or migrates data during TeamForge installation and upgrade respectively. Enter "Yes" or "No" to proceed. For more information, see The teamforge script.