Cross site scripting (XSS)

  Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic! Mail us feedback on this topic!  

For your websites to be Cross site scripting (XSS) safe, the following rules need to be followed:

 

1. Do not use the built-in WYSIWIG editor (HTML area (Formatted Text) field type) to enable users enter text into the site (e.g. user profiles, forums, etc.). Instead use the BBcode editor.

 

devguide_clip0831

 

This editor is displayed by selecting BBcode editor as the value of the Field type attribute when defining document type fields:

 

devguide_clip0359

 

2. When writing your transformations, use the following method to resolve text entered via the BBcode editor:

 

CMSHelper.CMSContext.ResolveDiscussionMacros(string inputText)

 

3. When writing your transformations, use the Eval(string columnName, bool encode)method with the second parameter enabled to display content of any field whose content was entered by the users, e.g.:

 

<%# Eval("PostSubject",true) %>

 

Page url: http://devnet.kentico.com/docs/devguide/index.html?cross_site_scripting_xss.htm