One of the best ways of preventing susceptibility to malicious html hacking is simply to disable html from all posts. As the bitweaver framework allows a number of formats for content, using a wiki type format and disabling html altogether is probably the most secure option. Even where html is required for some special purpose, it would be more secure to create a plugin to generate secure html rather than simply allowing the user to type it manually. An example of something that may be converted to a plugin would be something like the script for a Paypal shopping basket button, which would just take variables such as name, price and quantity and fill in the rest of the html structure.
It may be that the flexibility of using html outweighs the security problems of managing it, in which case bitweaver provides a number of additional tools to sanitise data entry. One advanatge currently of html, is the availability of on line WYSIWYG editors. Bitweaver provides both ((FckeditorPackage|fckeditor)) and ((TinymcePackage|tinymce)) although only the first is currently up to date, but both of these provide a level of filtering of input such as only allowing a sub set of html tags. SInce it can be possible to bypass the editors and manually enter html, a second level of filtering is provided, with a ((Simple Purifier|simple html purifier)) or the more comprehensive ((HTMLPurifier)) package. Additionally due to the modular nature of bitweaver, alternate filters can easily be added if they become available.
Page History
Date/CommentUserIPVersion
10 Dec 2008 (09:12 UTC)
Lester Caine81.138.11.1361
Current • Source
No records found