Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
SJ77 Posted May 17, 2023 Posted May 17, 2023 I know html is sanitized but in theory couldn't this allow a clever person a way to inject malicious code? Just trying to understand the risks before I use this option
Randy Calvert Posted May 17, 2023 Posted May 17, 2023 Just adding that does not add risk. But the question becomes what you do with the data input by the user. SJ77 1
Marc Posted May 17, 2023 Posted May 17, 2023 We would not add options which allow the injection of malicious code in the software, other than items which should only be accessible by trusted people (posting HTML, editing templates etc)
SJ77 Posted May 17, 2023 Author Posted May 17, 2023 5 hours ago, Marc Stridgen said: We would not add options which allow the injection of malicious code in the software, other than items which should only be accessible by trusted people (posting HTML, editing templates etc) I am planning to allow people the option to post a url containing an mp4 video file link. I will nest it in the right html for video player embed. @Marc Stridgen I know you would not add options to allow malicious code. I was more concerned about misusing the option and inadvertently causing a risk. Wasn't sure of there were some guidelines for this feature or not. Better to be cautious now than sorry later. Thank you
Marc Posted May 18, 2023 Posted May 18, 2023 There isnt really a set of guidelines for that, as it could be anything someone is adding, so the guidelines could only be to write secure code. If you are unsure on that, it would be best to contact a developer on this, rather than adding yourself. Generally however, if you are adding things from a known vendor using their code, it will likely have been tested. SJ77 1
Recommended Posts