User input validation

Does anyone know if it’s possible to implement custom user input validation, specifically for new users, new admin badges and new user fields.

After a penetration test we found we are vulnerable to HTML Injection and other malicious inputs in these areas and wondered if there is a way to further validate these inputs to improve security (possibly by using regex or another way to achieve the same result)

Thanks in advance!

1 Like

Yes, it is possible for you, or a professional Discourse plugin developer, to write a “relatively simple” plugin to add validation to models.

Perhaps you should post your request in #marketplace?

What fields are susceptible to html injection?

3 Likes

Exacly what I was going to ask.

1 Like

I hope he tells the developers in private before us :slight_smile:

Doesn’t Discourse take part in a scheme through which they will pay for security vulnerability discoveries?

1 Like

Indeed: hackerone

2 Likes

Thanks for getting back so quickly!

So the affected parameters are:

User Creation: name, title, location, bio_raw

Badges: name, description, long_description

user fields: name, description

We are part of the community but not staff. You would need to a get a response from them on this. However, given the attention paid to vulnerabilities and security by the team, plus the use of industry standard frameworks, I would reserve judgement until they’ve had time to respond.

This doesn’t sound like something you should need to mitigate, but at the same time, it may already be addressed in some way.

2 Likes

I would like very surprised if those allowed html injection. Please demonstrate that by editing your profile here with a trivial example.

2 Likes

Welcome to Meta @Cal :wave:

Those fields are sanitized/escaped. Plus, Discourse has CSP enabled by default.

Those are also sanitized. They’re also only accessible to admins, and there’s also CSP.

If you’ve found a user-input security issue that happens with CSP on, we’d love to hear about it here.

7 Likes