For your web sites to be Cross site scripting (XSS) safe, the following rules need to be followed:
1. Do not use the built-in WYSIWIG editor (HTML area (Formatted Text) field type) to enable users enter text into the site (e.g. user profiles, forums, etc.). Instead use the BBcode editor.
This editor is displayed by selecting BBcode editor as the value of the Field type attribute when defining document type fields:
2. When writing your transformations, use the following method to resolve text entered via the BBcode editor:
CMSHelper.CMSContext.ResolveDiscussionMacros(string inputText) |
3. When writing your transformations, use the Eval(string columnName, bool encode)method with the second parameter enabled to display content of any field whose content was entered by the users, e.g.:
<%# Eval("PostSubject",true) %> |