Does anyone know if it’s possible to implement custom user input validation, specifically for new users, new admin badges and new user fields.
After a penetration test we found we are vulnerable to HTML Injection and other malicious inputs in these areas and wondered if there is a way to further validate these inputs to improve security (possibly by using regex or another way to achieve the same result)
Thanks in advance!
Yes, it is possible for you, or a professional Discourse plugin developer, to write a “relatively simple” plugin to add validation to models.
Perhaps you should post your request in marketplace?
What fields are susceptible to html injection?
Exacly what I was going to ask.
I hope he tells the developers in private before us 
Doesn’t Discourse take part in a scheme through which they will pay for security vulnerability discoveries?
Indeed: hackerone
Thanks for getting back so quickly!
So the affected parameters are:
User Creation: name, title, location, bio_raw
Badges: name, description, long_description
user fields: name, description
We are part of the community but not staff. You would need to a get a response from them on this. However, given the attention paid to vulnerabilities and security by the team, plus the use of industry standard frameworks, I would reserve judgement until they’ve had time to respond.
This doesn’t sound like something you should need to mitigate, but at the same time, it may already be addressed in some way.
I would like very surprised if those allowed html injection. Please demonstrate that by editing your profile here with a trivial example.
