Disable User-Entered Passthru HTML On Your Forms
As part of the effort to make sure codestore was XSS-proof, which I did at the same time as discussing XSS in detail on here, I made a change to the Form that stores comments to articles. Since the site was born and before it became a blog the form has allowed you guys to post HTML to it. All you needed to know was that the HTML needed wrapping inside [] square brackets. A few of you worked this out, but none of you took advantage of it in any sinister way.
In light of the alarming nature of and ease of performing XSS attacks I decided to disable Passthru HTML on that Form. To do this I add a field to the form called $$HTMLOptions and set its value to ""DisablePassthruHTML=1". You can no longer enter HTML of any kind anywhere on this site (although I might change that to allow a limited subset of HTML - b, i, a tags etc at some point).
The only reason I added it to that form is that the "Body" field on it was Rich Text, where as the comment form on the blog is plain text and so doesn't allow use of [] brackets anyway.
I discovered the existence of this new HTMLOptions fields following a post to one of XSS blog entries. I can't remember who posted it, but thanks anyway. The link was to this slideshow which discusses "What's new in the Domino web server". Although it doesn't mention which version of the server (doh!) I guess it's 7.0.2.
It's worth skipping through the slideshow if you have some time to spare as there are other options to the field that are worth knowing about.
Well that certainly solves a multitude of sins. Now if only they could have updated the help docs in the Domino Designer 8 Help app this might be a little more well known. (Specifically the "Predefined fields with built-in functionality" page)
Well done Jake for finding this little nugget of info.
Browsing through design of bookmark.nsf, names.nsf, mail template etc may help discovering a lot undocumented goodies. But such features are likely to be deprecated and discarded in future versions without any notice.
Nice one Jake....I'm tired of stupid scumbots posting idiotic links into fields that are designed for guests to make pertinent comments.
I'll be deploying this.
Rgds
Nick