That makes sense. As far as I know OFBiz, input that involve text editors is sanitized. Adding to Nitin's inputs. We can use libraries like Jsoup[1] at back end to properly sanitize the user's input and at front end some advance editor like summernote that allows escape of script execution[2]. If we can make these changes configurable, so that it won't affect the intrinsic behavior.
References: 1. https://jsoup.org/ 2. https://summernote.org/deep-dive/#xss-protection-for-codeview Other references that can add to it: https://happycoding.io/tutorials/java-server/sanitizing-user-input https://www.netsparker.com/blog/web-security/cross-site-scripting-xss/ https://github.com/Alex-D/Trumbowyg/issues/160 https://www.acunetix.com/websitesecurity/cross-site-scripting/ Thanks and regards, Aditya Sharma On Tue, 20 Aug 2019 at 01:44, Nitin Lokhande <nitin.lokha...@gmail.com> wrote: > Thoughts I have on this which might need some more effort too. > > Allowing only alpha numeric in blog post ( For publish ) > Not providing publish option and only preview option ( can use wider > character set) > Creating db manually and limited rights to user connecting to db. > Create read only demo by limiting rights of db user. > No visibility of new posts and appending keyword to blog handle ( Delete > such blog every 30 min , by some scripts) > All new posts triggers emails to moderators prior/after publish ( include > committers from different regions as moderators for demo application ) > add captcha for publish as well. > > Thanks, > Nitin > > On Mon, Aug 19, 2019 at 11:47 AM Dave <snoopd...@gmail.com> wrote: > > > I'm not totally opposed to the idea but there are some security risks to > be > > considered. > > > > One of Roller's biggest vulnerabilities is that users are trusted to > > publish any type of content and this includes JavaScript which can be > used > > to make Cross-site scripting and request forgery attacks. You really have > > to trust your bloggers because the system does not sanitize user input > > (except for blog comments). Even if we delete the data every day bad > actors > > could use the system to make these sorts of attacks. We could disable > > custom themes, but folks could still publish malicious code in blog > posts. > > > > How is that handled for Kibble and OFBiz, do they sanitize all user > input? > > > > Dave > > > > > > On Mon, Aug 19, 2019 at 9:30 AM Aditya Sharma <adityasha...@apache.org> > > wrote: > > > > > Indeed. > > > > > > +1 > > > > > > Thanks and Regards, > > > Aditya Sharma > > > > > > On Sat, 17 Aug 2019 at 18:41, Swapnil M Mane <swapnilmm...@apache.org> > > > wrote: > > > > > > > Hi team, > > > > > > > > The new adopters and users are generally looking for a demo instance > of > > > any > > > > software to evaluate it. > > > > This brings me a thought, we should have a demo instance for the > > Roller. > > > > > > > > Other Apache projects are also set up the demo instance for their > > > project, > > > > like > > > > Apache Kibble - https://demo.kibble.apache.org/ > > > > Apache OFBiz - > > > https://demo-trunk.ofbiz.apache.org/ecommerce/control/main > > > > > > > > The demo instance will be redeployed every day with fresh data and > > latest > > > > codebase (we may set up instances for old releases, but it is not the > > > > priority we can do it later). > > > > > > > > We can request the infra team to set up the demo instance at > > > > https://demo.roller.apache.org/ > > > > > > > > Thought? > > > > Please let me know if I missed any existing demo instance. > > > > > > > > Best regards, > > > > Swapnil M Mane, > > > > www.apache.org > > > > > > > > > >
