Caution about XSS

This article is a translation of article in russian.

XSS (Cross-Site Scripting) — a kind of vulnerability, which enables to attackers to inject into a page malicious code, which will be executed on end user machine visiting the page (detailes). Potential victim in our case is a user of your support system including you. A problem can became more wide if your project is working under your own subdomain (for example, support.example.com is your support project, and example.com is your site).

We made templates so, that an Administrator cannot create an exploit accidently (while he does not inject JavaScript code), which can be used by another usual user to perform an attack. Pay attention, the platform does not prevent of deny a creation of such exploits. However, to create such exploit, an Administrator would write specific code in a template. In that moment the Administrator who does such edition become himself either an attacker or responsible to the accident (for example, some third-party code was copy-pasted into a template).

An Administrator can add or inject JavaScript to Theme templates. Administrator mush be very careful while injecting thord-party JavaScript code. Use only code you trust to and sure it is safe.

Editing templates in your support project is completely your liability including but not limit to any kind of damage.