Kentico CMS 7.0 Developer's Guide

Cross site scripting (XSS)

Cross site scripting (XSS)

Previous topic Next topic Mail us feedback on this topic!  

Cross site scripting (XSS)

Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

For your websites to be Cross site scripting (XSS) safe, the following rules need to be followed:

 

1. Do not use the built-in WYSIWIG editor (HTML area (Formatted Text) form control) to allow live site users to enter text (e.g. in user profiles, forums, etc.). Instead, use the BBcode editor.

 

devguide_clip0831

 

You can make users use the editor by selecting BBcode editor as the value of the Form control property when defining fields for document types (or other objects), as shown in the following image.

 

devguide_clip0359

 

2. When writing your transformations, use the following method to resolve text entered via the BBcode editor:

 

CMSHelper.CMSContext.ResolveDiscussionMacros(string inputText)

 

3. When writing your transformations, use the Eval(string columnName, bool encode)method with the second parameter enabled to display content of any field whose content was entered by the users, e.g.:

 

<%# Eval("PostSubject",true) %>