Rants, Raves, and Rhetoric v4

HtmlSecurity.config

If you are a CE/Vista admin, then you should probably be aware of $WLDOMAIN/serverconfs/HtmlSecurity.config.

This file has the regex code for blocking inappropriate input by users to exploit forms. Say a student wants to write a mail message to another student with JavaScript to execute malicious code to hijack a session. One of the regexes here would reject the message on Submit with an error and not take it so it would not make it into the database.

The config file makes for interesting reading. Especially at the end where an administrator has the option of turning on items to block images, background images, anchor links, and (my personal favorite) any URL to an external portal “since it would be possible for students to trick instructors into unknowingly making requests to that system.”

 


Posted

in

by

Tags:

Comments

Leave a Reply