Code Injection into content

Created by: Lester Caine, Last modification: 10 Dec 2008 (09:12 UTC)
One of the best ways of preventing susceptibility to malicious html hacking is simply to disable html from all posts. As the bitweaver framework allows a number of formats for content, using a wiki type format and disabling html altogether is probably the most secure option. Even where html is required for some special purpose, it would be more secure to create a plugin to generate secure html rather than simply allowing the user to type it manually. An example of something that may be converted to a plugin would be something like the script for a Paypal shopping basket button, which would just take variables such as name, price and quantity and fill in the rest of the html structure.
It may be that the flexibility of using html outweighs the security problems of managing it, in which case bitweaver provides a number of additional tools to sanitise data entry. One advanatge currently of html, is the availability of on line WYSIWYG editors. Bitweaver provides both fckeditor and tinymce although only the first is currently up to date, but both of these provide a level of filtering of input such as only allowing a sub set of html tags. SInce it can be possible to bypass the editors and manually enter html, a second level of filtering is provided, with a simple html purifier or the more comprehensive HTMLPurifier package. Additionally due to the modular nature of bitweaver, alternate filters can easily be added if they become available.