Security on post code

Hyan · May 6, 2024, 6:55am

Hi Discourse,
Edit: I used to post my question under Post code or preformatted text.

In my self-hosted discourse, we have a WAF placed in front of installation. It has stricter rules by default which sometimes preventing users posting formatted code from creating. For example, edits contain /etc/init.d is taken as security issue. My question is how the preformatted text feature itself ensure any sort of code XSS or attacking. Or discourse core protects the code submitted avoiding security issues? Am I safe to allow all of posts containing code snippet, so that I can adjust the WAF rules?

/etc/init.d/aaa.local Compatibility

Thanks!

sam · May 9, 2024, 4:10am

Discourse protects against XSS in posts using multiple layers of protection.

Including:

CSP
Special library that only allows specific tags through
Cooking markdown (converting from MD → HTML) in a sandbox.

We treat security issues incredibly seriously, you can read more about it at: HackerOne

Your WAF should not need to do any blocking like this.

Topic		Replies	Views
Discourse + Web Application Firewall (WAF) mod_security hosting unsupported-install	8	3297	November 20, 2019
Cloudflare Security WAF (Web Application Firewall) + Discourse? support	0	110	April 26, 2024
ModSecurity exceptions support	7	573	February 17, 2023
Inquiring about the Security Measures in Discourse support	3	687	February 11, 2023
Difficulty using the code tag </> feature	14	5155	June 26, 2016

Security on post code

Related Topics