AWS solutions high security documentation change
Summary
Restructured upgrade notes: Added section for v7.4.0 Alexa Skill ID requirement and updated v7.3.12 HTML sanitization details with corrected terminology.
Security assessment
Documents two security features: 1) Alexa Skill ID authorization (prevents unauthorized access) and 2) Server-side HTML sanitization (explicitly states it prevents stored XSS attacks). The sanitization change directly references mitigation of a known web security vulnerability (XSS).
Diff
diff --git a/solutions/latest/qnabot-on-aws/update-the-solution.md b/solutions/latest/qnabot-on-aws/update-the-solution.md index c27309a67..0d4f0406d 100644 --- a//solutions/latest/qnabot-on-aws/update-the-solution.md +++ b//solutions/latest/qnabot-on-aws/update-the-solution.md @@ -11 +11 @@ If you have previously deployed the solution, follow this procedure to update th -###### Important +###### For those upgrading to v7.4.0 and above @@ -13 +13 @@ If you have previously deployed the solution, follow this procedure to update th -**For those upgrading to v7.3.12 and above** +QnABot on AWS v7.4.0 introduces a new `AlexaSkillIds` AWS CloudFormation parameter for Alexa Skill authorization. If you are using Alexa integration with an existing QnABot deployment, you must provide your Alexa Skill IDs in the `AlexaSkillIds` parameter during stack update to maintain Alexa functionality. New deployments have Alexa turned off by default. For details, see [Getting answers using Amazon Alexa](./step-4-interact-with-the-chatbot.html#getting-answers-using-amazon-alexa). @@ -15 +15,3 @@ If you have previously deployed the solution, follow this procedure to update th -QnABot on AWS v7.3.12 applies server-side HTML sanitization on `alt.html` and `alt.markdown` response fields to prevent stored XSS attacks. If your Q&A responses use custom HTML tags or attributes beyond the default allowlist, those tags or attributes will be excluded from responses after upgrading. Please review [Server-side sanitization and using custom tags and attributes in responses](./server-side-html-sanitization.html) to understand which tags and attributes are allowed by default, and for instructions on how to allow-list any custom tags or attributes before or after upgrading. +###### For those upgrading to v7.3.12 and above + +QnABot on AWS v7.3.12 applies server-side HTML sanitization on `alt.html` and `alt.markdown` response fields to prevent stored XSS attacks. If your Q&A responses use custom HTML tags or attributes beyond the default allow list, those tags or attributes will be excluded from responses after upgrading. Review [Server-side sanitization and using custom tags and attributes in responses](./server-side-html-sanitization.html) to understand which tags and attributes are allowed by default, and for instructions on how to add custom tags or attributes to the allow list before or after upgrading.