Hello great minds,
I am wanting to hear you thoughts on the risk level of NOT filtering front end user input on forms & asset builders.
If I DO filter it (which has been our setting) I cannot make the forums & blog-type posts work properly through Asset Builders, as it does not parse the HTML, it puts it as if it was just normal text. To combat this code tags appearing in the posts, we can set the input field to be text field, not WYSIWYG, but then it still won't put in the paragraph breaks, and if I use a <pre> tag it will filter it to display as normal text, not parsed.
I have experimented with turning the filtering off, and it does fix my problem.
But is there much of a risk level associated with doing this?
We don't have Asset Builders open to public people (only selected users who must login).
However, we do have forms that are submittable by the public (e.g. event registrations, enquiries, etc etc).
All I can find out is from the online manual:
Filter Front End User Input
This preference allows you to determine whether or not to filter front end user inputs in forms such as Asset Builders and Custom Forms. When enabled, this preference will strip script tags and keyword replacements, and escape html from user inputs.
Such inputs, in rare cases, can affect the backend operations of Squiz Matrix and may cause unexpected and potentially adverse behavior. This preference eradicates this risk, improving the security of your system.
Please note that enabling this option will only filter form inputs for asset attributes, for example, when inputting the attributes of an asset being created on an Asset Builder, as well as WYSIWYG and Text (single and multiple) metadata fields type inputs ; other asset inputs, such as web paths, will not be filtered.
By default, this preference is set to Do not filter input.
Thoughts on whether it is a likely risk, or worth the functionality??
Thank you for your thoughts!
Emily.