Security and Disappearing SP pages

[PeterT]

Our hosted account was breached via Word Press and the service provider implemented a "solution" from SecureLive.

Part of that solution is to strip code entered from WYSIWYG editors out of POST commands to prevent XSS injections:

http://support.securelive.com/knowledgebase.php?article=15

http://support.securelive.com/knowledgebase.php?article=12

I'm hoping that our short-term solution will be to enter all resource URL's into the SP database and then into Pluslets from there, and not enter URLs via the editor.

However, wouldn't this kind of security "fix" render all SP instances broken?  (and why isn't it a problem in this WYSSIWG app?)

Thoughts and comments addressing this matter would be most appreciated.

Thank you,

Peter

[Andrew Darby]

If I understand correctly, this would break any CMS, since they all POST and store html code in the database--otherwise you'd just have one big long block of text.  Kind of an extreme solution, since there is security in place vs. XSS attacks in all CMSes (including SP).  The first link says that you can turn off this filter, which you will probably need to do, at least for the admin portion of the site.  The only posts on the public side are in Talkback and search forms, and these don't use FCKeditor and strip out any code.

--
You received this message because you are subscribed to the Google Groups "SubjectsPlus" group.
To view this discussion on the web visit https://groups.google.com/d/msg/subjectsplus/-/vmz_AkP_SQ4J.
To post to this group, send email to subjec...@googlegroups.com.
To unsubscribe from this group, send email to subjectsplus...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/subjectsplus?hl=en.

[Peter Tagtmeyer]

I saw that there was an off-switch mentioned, and I'm hoping it is granular enough to make the change.  More as it happens (or not) :)