The other day I saw a signature in a forum that said something along the lines of:
Just because you're not paranoid it doesn't mean somebody isn't out to get you.
No matter how desirable or what the outcome is of hacking your site, somebody will probably have a go at doing so. Even if there's nothing in it for them financially it can often be the challenge. Sometimes it might simply be to inform you of your site's shortcomings. Whatever the intention and no matter how important you think it is for your site or your customer's application to be completely secure it's well worth getting in there first and saving face and sleepless nights.
One major area of concern is Cross-Site Scripting (XSS) — users injecting nasty bits of executable code in to the content of a site.
XSS is of particular concern for any site where the user actually creates the content, as is often the case with Domino applications, and when there's little or no approval process. If you have a document with a rich text field on it (or any other fields for that matter) then you need the Form's WQS agent to make sure the content is safe to display to other unsuspecting users.
Stripping all HTML out of plain text fields is easy enough - a simple @ReplaceSubstring in the Input Translation does the trick. It gets trickier when you want to allow HTML in a rich text field (through the use of WYSIWYG editors) but want to filter out unwanted HTML.
So, I'm looking to see how people do this. What's the best way to strip all the nastiness out of a large rich text field and what exactly do we need to strip? In short — how do we avoid XSS issues with user-driven Domino content? Is a simple LotusScript Replace() call enough? If so what are the arrays of strings to look for?
Whatever I learn here I'll put in to a downloadable NSF for all to use. I'll also put it online so that the wannabe hackers amongst us can take their best shot at it and we can make sure we've got something truly secure.