Please enable JavaScript to view this site.

SanitizeMemoHTML

Efficy allows to store rich, formatted text in an item’s Memo field. A logged on, authenticated attacker could insert JavaScript scripts or HTML DOM objects in the HTML formatted text. These could in turn be used to obtain active sessions!

To prevent this risk, Efficy can “sanitize”, clean up the input fields by removing risky HTML tags.

dsgn_item-memo-field

dsgn_memo-field-HTML-source

The HTML tags can be configured with a blacklist or whitelist. A blacklist sums up the forbidden HTML tags, all others are allowed. A whitelist contains the allowed HTML tags, all other tags are forbidden.

Are whitelists more secure than blacklists? Theoretically, they’re not, but in practice, they may be. A whitelist strictly limits the Memo fields to those HTML tags that can be commonly expected in that context. Blacklists have to be exhaustive: the risk that you forget a tag to be forbidden is higher…

Enter value 1 to see the tag list as a blacklist, value 2 to see the tag list as a whitelist.

detailed instructions: Security Management (download this technical note from the Efficy FTP site)

related parameter: SanitizeMemoTagList

© 2006-2020 Efficy All rights reserved