Security on post code

Hi Discourse,
Edit: I used to post my question under Post code or preformatted text.

In my self-hosted discourse, we have a WAF placed in front of installation. It has stricter rules by default which sometimes preventing users posting formatted code from creating. For example, edits contain /etc/init.d is taken as security issue. My question is how the preformatted text feature itself ensure any sort of code XSS or attacking. Or discourse core protects the code submitted avoiding security issues? Am I safe to allow all of posts containing code snippet, so that I can adjust the WAF rules?

/etc/init.d/aaa.local Compatibility

Thanks!

1 Like

Discourse protects against XSS in posts using multiple layers of protection.

Including:

  • CSP
  • Special library that only allows specific tags through
  • Cooking markdown (converting from MD → HTML) in a sandbox.

We treat security issues incredibly seriously, you can read more about it at: HackerOne

Your WAF should not need to do any blocking like this.

5 Likes