Hi Guys, thanks for all the responses - much appreciated. Dave, this is an interesting idea which we haven't pursued yet. I don't have a clear sense of how the server configuration would work here. Would you have two separate db servers (one for authored content and one for published content) that would sync up? Or would you have an authoring infrastructure that would then generate more traditional static html? I'm just trying to get a sense of how the separation would work.
N -----Original Message----- From: Dave Watts [mailto:[email protected]] Sent: Friday, February 28, 2014 8:29 AM To: cf-talk Subject: Re: Best practices for xss security in CMS? > I'm very interested in your feedback on best practices when 1) trying > to mitigate risk of XSS and other hacks while 2) providing CMS > functionality that includes a web editor that clients use to publish web pages. > For example, there are many tags like <style>, <iframe>, and <embed> > that are considered risks by OWASP and others but are also typically > needed by CMS users to create web pages, embed youtube videos, and the like. > We're thinking through how to manage the trade offs so that we protect > clients but don't frustrate them in making their web pages. > I'd love to know how others are managing these issues effectively. > Our users who are creating web pages with an editor (FCKeditor) are > generally working behind a login as administrators, so there is that > login security - not anyone can use the editor to create a web page. > But, we have generally had a lot more security than that. > I'm assuming that there are users of Mura, Farcry and other CMS's on > this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more "traditional" network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357805 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
