# About cross-site scripting

Cross-site scripting (or XSS) is a security vulnerability sometimes found in websites. In a site that is not well protected, malicious users can enter script into web pages that are viewed by other users (for example, in a comment or in the body of a page). A cross-site scripting vulnerability may be used by attackers to login as another user. It’s important to configure the text formats of your website to prevent such abuse.

The good news is that GovCMS comes with two preconfigured text formats:

1. Rich text (CKEditor-enabled)
2. Plain text

![Image of GovCMS text formats](/files/K6Wm7OaKGAqYaU9gTpny)

As a site builder, you can always add your own text formats and configure the roles allowed to use them.

Follow these and other best practices to keep your site safe:

1. The **Rich Text** format is intended for trusted users only (Content Authors or Administrators). Even though it has HTML tags filter applied (see the Allowed HTML Tags in Rich Text format configuration under *Configuration* → *Content authoring* → *Text formats and editors* → **Rich text**), some sites may request that no restriction is in place and no HTML tag restriction can be in place.

   <div data-gb-custom-block data-tag="hint" data-style="danger" class="hint hint-danger"><p><strong>This can represent a severe security risk.</strong></p></div>

2\. The \*\*Plain text\*\* format is intended for anonymous users, and does have CKEditor enabled. 3. When working with user-generated content, it's always best to keep input format settings as secure as possible. Select the least amount of functionality possible for each role; for example, don't allow anonymous users to have access to \*\*Rich Text\*\* format.

> **Note:** Certain inputs are restricted by default on GovCMS (such as the tags needed to display video properly) to protect the system from malicious code. Rich text format should only be accessible by trusted users.

![Image of Comic](/files/-LzEdJG6A8HX844S7PSg)

Source: <https://xkcd.com/327/>

Comic reproduced under a [Creative Commons Attribution-NonCommercial 2.5 License](http://creativecommons.org/licenses/by-nc/2.5/).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://salsa-digital.gitbook.io/govcms-site-builder/unit-5-text-formats-and-rich-text/about-the-cross-site-scripting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.