> For the complete documentation index, see [llms.txt](https://salsa-digital.gitbook.io/govcms-site-builder/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://salsa-digital.gitbook.io/govcms-site-builder/unit-5-text-formats-and-rich-text/about-the-cross-site-scripting.md).

# About cross-site scripting

Cross-site scripting (or XSS) is a security vulnerability sometimes found in websites. In a site that is not well protected, malicious users can enter script into web pages that are viewed by other users (for example, in a comment or in the body of a page). A cross-site scripting vulnerability may be used by attackers to login as another user. It’s important to configure the text formats of your website to prevent such abuse.

The good news is that GovCMS comes with two preconfigured text formats:

1. Rich text (CKEditor-enabled)
2. Plain text

![Image of GovCMS text formats](/files/K6Wm7OaKGAqYaU9gTpny)

As a site builder, you can always add your own text formats and configure the roles allowed to use them.

Follow these and other best practices to keep your site safe:

1. The **Rich Text** format is intended for trusted users only (Content Authors or Administrators). Even though it has HTML tags filter applied (see the Allowed HTML Tags in Rich Text format configuration under *Configuration* → *Content authoring* → *Text formats and editors* → **Rich text**), some sites may request that no restriction is in place and no HTML tag restriction can be in place.

   <div data-gb-custom-block data-tag="hint" data-style="danger" class="hint hint-danger"><p><strong>This can represent a severe security risk.</strong></p></div>

2\. The \*\*Plain text\*\* format is intended for anonymous users, and does have CKEditor enabled. 3. When working with user-generated content, it's always best to keep input format settings as secure as possible. Select the least amount of functionality possible for each role; for example, don't allow anonymous users to have access to \*\*Rich Text\*\* format.

> **Note:** Certain inputs are restricted by default on GovCMS (such as the tags needed to display video properly) to protect the system from malicious code. Rich text format should only be accessible by trusted users.

![Image of Comic](/files/-LzEdJG6A8HX844S7PSg)

Source: <https://xkcd.com/327/>

Comic reproduced under a [Creative Commons Attribution-NonCommercial 2.5 License](http://creativecommons.org/licenses/by-nc/2.5/).


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://salsa-digital.gitbook.io/govcms-site-builder/unit-5-text-formats-and-rich-text/about-the-cross-site-scripting.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
