LogoLogo
  • GovCMS8 Site Building Training Manual
  • Contributing and Feedback Guide
  • Software and module requirements
  • UNIT 1: FUNCTIONAL ANALYSIS
    • Overview
    • Layout of a GovCMS page
    • Regions in GovCMS
    • Planning your site
    • About our client
    • Understanding requirements
    • Audience analysis
    • User (visitor) personas
    • Define user stories
    • Roles and Permissions
      • Exercise 1.1: Configure account settings
    • Blocks in GovCMS
      • Exercise 1.3: Place Welcome message block
    • Site navigation
    • Footers
      • Exercise 1.4: Build the related links menu
      • Exercise 1.5: Assign the related links menu block to a region
      • Exercise 1.6: Configure the related links menu block
      • Exercise 1.7: Rearrange the main menu
    • Theme settings
      • Exercise 1.8: Change the logo
      • Exercise 1.9: Create a friendly error page
    • Unit 1 Summary
  • UNIT 2: DESIGNING AND PLANNING CONTENT
    • Designing and planning content
      • Exercise 2.1: Compare content types
    • Planning your site structure
    • Planning data entry and display
    • Discussion
      • Exercise 2.2: Design a content type in minutes
      • Exercise 2.3: Create a content type
    • Add and configure fields
      • Exercise 2.5: Modify an existing field
      • Exercise 2.6: Add a custom text field
      • Exercise 2.7: Review the field list report
    • Manage form display
      • Exercise 2.8: Testing content types
    • Unit 2 Summary
  • UNIT 3: MANAGE MEDIA
    • Manage Media
    • Customise image display with image styles
    • Review configuration of image media display
      • Exercise 3.1: Example use of image styles
      • Exercise 3.2: Add and configure a media field
      • Exercise 3.3 (Challenge): Change image size
    • Unit 3 Summary
  • UNIT 4: TAXONOMY - CATEGORISING CONTENT
    • Taxonomy - Categorising content
      • Exercise 4.1: Add new Vocabulary
      • Exercise 4.2: Add Taxonomy field to content types
    • About input options
      • Exercise 4.3: Add fields to content types
      • Exercise 4.4: Test the new vocuabulary
    • Editorial considerations
    • Prepare documentation for new staff onboarding
    • Content creation forms
    • Unit 4 Summary
  • UNIT 5: TEXT FORMATS AND RICH TEXT
    • Text formats and rich text
      • Exercise 5.1 (Optional): Set up the Rich Text editor
      • Exercise 5.2 (Challenge): Create a new text format
    • About cross-site scripting
    • Text formats
    • Unit 5 Summary
  • UNIT 6: CONTENT LISTING WITH VIEWS
    • Content listing with Views
      • Exercise 6.1: Build the employment news view
    • Views - Part 2
      • Exercise 6.3: A customised News and Media page
      • Exercise 6.4: Reuse a Views template
    • Related content by term
      • Exercise 6.5: Make a list of States/Territories block
      • Exercise 6.6: Build the related content block
      • Exercise 6.7: Configure data field and Event content type
      • Exercise 6.8 (Challenge): Extend Content type
      • Exercise 6.9: Modify an event listing for future dates
    • Customize the content administration experience
      • Exercise 6.10: Administration with View bulk operations
    • Unit 6 Summary
  • UNIT 7: URL ALIASES
    • URL Aliases
      • Exercise 7.1: URL aliases - Patterns
    • URL Redirects
      • Exercise 7.2: Configure redirects
      • Exercise 7.3: Breadcrumbs
    • Menu check
    • Unit 7 Summary
  • UNIT 8: SITE BUILDING EXERCISES
    • Site building exercices workshop
    • Extend content types with new fields
      • Exercise 8.1: Add an external link field
    • Agency reference link
      • Exercise 8.2: Create Agency References
    • Job list dropdown filter
      • Exercise 8.3: Configure the job listing
      • Exercise 8.4: Agency logo in Job Posting view
      • Exercise 8.5: Challenge exercises
    • Discussion
    • Views contextual filters
      • Exercise 8.6: Add About author block to News article
    • Further discussion and exercices
    • Employee list and custom profiles
      • Exercise 8.7: Set up profile fields
      • Exercise 8.8: Create a list of users
      • Exercise 8.9: Edit the existing view to filter out roles
      • Exercise 8.10: Create a custom layout
      • Exercise 8.11 (Challenge): An image gallery
    • Unit Summary
    • Discussion
  • UNIT 9: SEARCH AND RELATED CONTENT
    • Search and related content
      • Exercise 9.1: Explore the default search
      • Exercise 9.2: Set up Job posting content type display in global search
      • Exercise 9.3: Create new search page with Search API
      • Exercise 9.4: Add fields to the index
      • Exercise 9.5: Extend the search with Facets
    • Unit Summary
  • UNIT 10: SITE PERFORMANCE
    • Overview
    • Planning for Peformance
    • Define Goals and Requirements
    • Review current issues and bottlenecks
    • Other performance considerations
    • Unit 10 Summary
    • Glossary of terms
    • Appendices
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
Export as PDF
  1. UNIT 5: TEXT FORMATS AND RICH TEXT

About cross-site scripting

PreviousExercise 5.2 (Challenge): Create a new text formatNextText formats

Last updated 2 years ago

Was this helpful?

Cross-site scripting (or XSS) is a security vulnerability sometimes found in websites. In a site that is not well protected, malicious users can enter script into web pages that are viewed by other users (for example, in a comment or in the body of a page). A cross-site scripting vulnerability may be used by attackers to login as another user. It’s important to configure the text formats of your website to prevent such abuse.

The good news is that GovCMS comes with two preconfigured text formats:

  1. Rich text (CKEditor-enabled)

  2. Plain text

As a site builder, you can always add your own text formats and configure the roles allowed to use them.

Follow these and other best practices to keep your site safe:

  1. The Rich Text format is intended for trusted users only (Content Authors or Administrators). Even though it has HTML tags filter applied (see the Allowed HTML Tags in Rich Text format configuration under Configuration β†’ Content authoring β†’ Text formats and editors β†’ Rich text), some sites may request that no restriction is in place and no HTML tag restriction can be in place.

    This can represent a severe security risk.

2. The **Plain text** format is intended for anonymous users, and does have CKEditor enabled. 3. When working with user-generated content, it's always best to keep input format settings as secure as possible. Select the least amount of functionality possible for each role; for example, don't allow anonymous users to have access to **Rich Text** format.

Note: Certain inputs are restricted by default on GovCMS (such as the tags needed to display video properly) to protect the system from malicious code. Rich text format should only be accessible by trusted users.

Source:

Comic reproduced under a .

https://xkcd.com/327/
Creative Commons Attribution-NonCommercial 2.5 License
Image of GovCMS text formats
Image of Comic