Discourse Security Guide

(Sam Saffron) #1

I started an initial draft for an official Discourse Security Guide:

I would like us to expand and pretty it up.

If you have any suggestions for improvements please let us know OR send through a pull request with your suggested changes.

Retweet trusted users' tweets based on hashtag
(Kevin P. Fleming) #2

What’s up with the bold-face on ‘the’, ‘is’ and other words in that onebox?

(happycollision) #3

Seems that Discourse is rendering the text as <code> and is trying to be helpful some syntax highlighting. Not sure if there is a way to tell it not to, but there might be.

(Ben T) #4

I believe it is similar to this issue, where it’s matching extra keywords in code blocks. (also it’s sort of ugly to pull in the code blocks as a quote!)

(Nicholas Perry) #5

That site says you might want to go to Introduction  |  Caja  |  Google Developers instead. the one you linked to is apparently for people working on caja, not for users of it.

(Jeff Atwood) #6

Github oneboxes assume everything on Github is code. I made the link a regular link and not a onebox. Problem solved for now.

(Jeff Atwood) #7

OK, first round of editing complete with all known changes…

See the Official Discourse Security Guide for further review!

(Mark IJbema) #8

To me it feels strange to see a document about security which does mention XSS and CSRF, but not SQL injection. Is this intentional?

I also wondered how extensive the list of places for XSS issues is meant to be? If there are other places where XSS can happen, should they be added, and if so, when are they deemed ‘major’ enough?