- 1 of 8
- ››
To avoid security problems on websites, you need to have different level of filtering of the data posted by the website users.
This generally comes down to something similar to this:
* The owner of a website can write anything they want on any page, including HTML, JavaScript, IFRAME, etc.
* An editor may be able to add IFRAMEs or OBJECTs, but no JavaScript.
* An author is able to enter anything on a page except IFRAME, OBJECT and JavaScript code.
* A registered user can insert images and format his text (left, right, bold, etc.)
* A simple visitor can only write text.
The filter can do 2 things:
1) remove unwanted HTML tags;
2) Replace standard text such as <hello world> into proper code so it looks like plain text to a browser (i.e. <hello world>.)
It is to be noted that the filtering system could be used for many other text transformations. However, most of these transformations will take place when XSLT runs over the resulting output. Plus, the changes depend on the choosen output format.
At this point the user cannot choose the filters to be applied to a page, however, we have an XSS and the token filters that are fully functional, just not properly handled as far as how they get used. As we are working on the editor and AJAX, we will soon be able to implement the proper filtering behavior.
The use of a filter may prevent a user with a lower permission level to not be authorized to edit content that he would otherwise be able to update. For example, a user who can only edit basic HTML will not be able to edit a page with JavaScript code.
Snap! Websites
An Open Source CMS System in C++