Support forums - Best Practices

Best Practices

Last post 06-22-2009, 7:37 PM by Adam. 2 replies.


	Sort Posts: Previous Next

Reply Quote

Hi there,

Does anyone (or Cutesoft) have a best practices guide when it comes to security?

There are a lot of properties like EnableStripIframeTags, EnableStripLinkTagsCodeInjection, EnableStripStyleTagsCodeInjection, etc...

I want my users to be able to enter "code" but at the same time I don't want to leave any security holes open.

thanks in advance!

Daniel

Reply Quote

Daniel,

We have the following properties to control the input code. By default, they are set to true.

EnableStripIframeTags	Specifies whether to remove inject Iframe tags before writing the string into the db. When this property is set to true (the default) Cute Editor strips all iframe tags from the html to prevent iframe injection attack.
EnableStripLinkTagsCodeInjection	Specifies whether to remove <link> tags which contain malicious, client-side executable code before writing the string into the db. When this property is set to true (the default) Cute Editor strips all <link> tags which contain malicious, client-side executable code from the html to prevent link tag injection attack.
EnableStripScriptTags	Specifies whether to remove inject script before writing the string into the db. When this property is set to true (the default) Cute Editor strips all script elements and script contents from the html.
EnableStripStyleTagsCodeInjection	Specifies whether to remove inject <Style> tags which contain malicious, client-side executable code before writing the string into the db. When this property is set to true (the default) Cute Editor strips all <Style> tags which contain malicious, client-side executable code from the html to prevent style tag injection attack.

If you trust your users, you can set the above properties to false.

Reply Quote

Daniel,

We have the following properties to control the input code. By default, they are set to true.

EnableStripIframeTags	Specifies whether to remove inject Iframe tags before writing the string into the db. When this property is set to true (the default) Cute Editor strips all iframe tags from the html to prevent iframe injection attack.
EnableStripLinkTagsCodeInjection	Specifies whether to remove <link> tags which contain malicious, client-side executable code before writing the string into the db. When this property is set to true (the default) Cute Editor strips all <link> tags which contain malicious, client-side executable code from the html to prevent link tag injection attack.
EnableStripScriptTags	Specifies whether to remove inject script before writing the string into the db. When this property is set to true (the default) Cute Editor strips all script elements and script contents from the html.
EnableStripStyleTagsCodeInjection	Specifies whether to remove inject <Style> tags which contain malicious, client-side executable code before writing the string into the db. When this property is set to true (the default) Cute Editor strips all <Style> tags which contain malicious, client-side executable code from the html to prevent style tag injection attack.

If you trust your users, you can set the above properties to false.