As part of the effort to make sure codestore was XSS-proof, which I did at the same time as discussing XSS in detail on here, I made a change to the Form that stores comments to articles. Since the site was born and before it became a blog the form has allowed you guys to post HTML to it. All you needed to know was that the HTML needed wrapping inside [] square brackets. A few of you worked this out, but none of you took advantage of it in any sinister way.

In light of the alarming nature of and ease of performing XSS attacks I decided to disable Passthru HTML on that Form. To do this I add a field to the form called $$HTMLOptions and set its value to ""DisablePassthruHTML=1". You can no longer enter HTML of any kind anywhere on this site (although I might change that to allow a limited subset of HTML - b, i, a tags etc at some point).

The only reason I added it to that form is that the "Body" field on it was Rich Text, where as the comment form on the blog is plain text and so doesn't allow use of [] brackets anyway.

I discovered the existence of this new HTMLOptions fields following a post to one of XSS blog entries. I can't remember who posted it, but thanks anyway. The link was to this slideshow which discusses "What's new in the Domino web server". Although it doesn't mention which version of the server (doh!) I guess it's 7.0.2.

It's worth skipping through the slideshow if you have some time to spare as there are other options to the field that are worth knowing about.