Hi All, I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like <style>, <iframe>, and <embed> that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. Thanks in advance! Nick
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357710 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
