Latest Posts

“XSS (Cross-site scripting) error” – Security issue with potentially malicious content.

Posted on by Zubair Shaik

Loading

XSS (Cross-Site Scripting) Error in SharePoint – Causes, Prevention, and Fixes

Overview

Cross-Site Scripting (XSS) is a security vulnerability in which malicious scripts are injected into a web page and executed in a user’s browser. SharePoint has built-in security mechanisms to prevent XSS attacks, but improper configurations, custom scripts, or third-party web parts can introduce vulnerabilities.

This guide provides a detailed explanation, troubleshooting steps, and best practices to prevent and fix XSS errors in SharePoint.

1. Understanding Cross-Site Scripting (XSS) in SharePoint

What is XSS?

  • XSS allows attackers to inject malicious scripts (e.g., JavaScript) into SharePoint pages.
  • These scripts run in the user’s browser, potentially stealing data, redirecting users, or modifying content.

Types of XSS Attacks in SharePoint

TypeDescriptionExample
Stored XSSMalicious scripts are saved in a SharePoint list or database.Attacker stores <script>alert('Hacked!')</script> in a list item.
Reflected XSSMalicious script is included in a URL and executed when the user clicks the link.https://site.com/?q=<script>alert('XSS')</script>
DOM-Based XSSThe script is injected into client-side code (JavaScript, AJAX).Manipulating JavaScript variables on the page dynamically.

2. Identifying XSS Errors in SharePoint

Common Symptoms of XSS Attacks

  • Unexpected pop-ups when visiting a SharePoint site.
  • Unwanted redirects to unknown websites.
  • Unauthorized changes to page content.
  • JavaScript errors in browser console (F12 > Console).
  • Security warnings in SharePoint logs or Microsoft Defender.

Example of an XSS Vulnerability

If SharePoint allows users to enter raw HTML/JavaScript into a list item, an attacker could enter:

<script>alert('XSS Attack!')</script>

When another user views the list item, the script executes, potentially stealing session data.

3. Common Causes of XSS Errors in SharePoint

  1. Custom JavaScript Code in Content Editor or Script Editor web parts.
  2. User input not sanitized in SharePoint Forms or PowerApps.
  3. Third-party Web Parts with security flaws.
  4. Allowing inline scripting (<script> tags) in list items, pages, or comments.
  5. Old SharePoint versions (2010, 2013, 2016) missing security patches.

4. How to Prevent and Fix XSS in SharePoint

A. Disable Custom Scripts in SharePoint Online

SharePoint Online blocks XSS by default, but some configurations may allow it.
To disable custom scripts:

Using SharePoint Admin Center:

  1. Go to Microsoft 365 Admin Center.
  2. Navigate to SharePoint Admin Center.
  3. Select Settings > Classic Settings Page.
  4. Under Custom Script, ensure:
    • 🚫 “Allow users to run custom script on personal sites” is disabled.
    • 🚫 “Allow users to run custom script on self-service sites” is disabled.
  5. Click Save.

Using PowerShell:

Connect-SPOService -Url https://yourtenant-admin.sharepoint.com
Set-SPOSite -Identity https://yourtenant.sharepoint.com/sites/mysite -DenyAddAndCustomizePages 1

This prevents unauthorized script execution.

B. Sanitize User Input in SharePoint Forms

  1. Use SharePoint Validation Rules to reject invalid characters:
    • Navigate to List Settings > Column Settings.
    • Add a Validation Formula, such as: =ISNUMBER(FIND("<script>",[ColumnName]))=FALSE
    • This prevents script tags from being stored.
  2. Use PowerApps “IsMatch” for Input Validation: If( IsMatch(TextInput1.Text, "[<>]"), Notify("Invalid input! No special characters allowed.", NotificationType.Error), SubmitForm(EditForm1) ) This prevents malicious HTML input.

C. Restrict HTML Fields in Rich Text Editors

By default, Enhanced Rich Text (RTF) fields allow HTML content, which can be abused.

Fix: Switch to Plain Text Fields

  1. Go to List Settings > Column Settings.
  2. Click on the Rich Text field.
  3. Change from Enhanced Rich Text to Plain Text.
  4. Click Save.

D. Enable Content Security Policy (CSP) in SharePoint

A Content Security Policy (CSP) restricts which scripts can execute.

Steps to Implement CSP in SharePoint Master Page (Classic Sites)

  1. Edit the Master Page (_catalogs/masterpage).
  2. Insert CSP header: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'sha256-BASE64HASH';">
  3. Save and publish the master page.

This prevents external scripts from running.

E. Monitor and Block Malicious Activities

  1. Use Microsoft Defender for Office 365:
    • Navigate to Microsoft Defender Security Center.
    • Check for Security Alerts related to XSS.
    • Block malicious users or IPs.
  2. Enable SharePoint Audit Logs:
    • Go to Microsoft Purview (Compliance Center).
    • Check for unusual activities like script injections.

F. Update SharePoint & Apply Security Patches

PowerShell: Check Installed SharePoint Version

(Get-SPFarm).BuildVersion

If outdated, apply the latest security updates.

G. Remove JavaScript from SharePoint Pages

  1. Navigate to the affected SharePoint page.
  2. Click Edit Page.
  3. Remove the Script Editor Web Part (if present).
  4. Save & publish the page.

5. Testing & Verifying XSS Fixes

A. Use Browser Developer Tools

  • Open F12 Developer Tools (Console).
  • Check for XSS warnings in the browser.

B. Run Security Scans

Use tools like:

  • OWASP ZAP (https://www.zaproxy.org/) – Detects XSS vulnerabilities.
  • Burp Suite – Tests SharePoint for security flaws.

6. What to Do If an XSS Attack Is Detected?

If you suspect an XSS attack:

  1. Immediately remove the affected list items or scripts.
  2. Disable custom scripts in SharePoint Admin Center.
  3. Run Microsoft Defender security scans.
  4. Change admin passwords if unauthorized access is detected.
  5. Check Audit Logs for the attacker’s details.

Leave a Reply

Your email address will not be published. Required fields are marked *