I will look at getting you a best practices document, but in the mean time some things to remember:
Anywhere a user can input data into the system there is a possibility for exploits to occur. This means that when rendering urls in Freemarker you need to be careful, putting parameters input by the user directly back into the page is dangerous for instance if part of the url contains malicious code. Any user form input should be validated on input, to be safe any HTML markup should be removed, not permitted or escaped. Anywhere you pull into content from other systems and display it in your page you run the risk of exposing your users to malicious code.
We have done a ton of work on Clearspace to fix the issues which were available in early versions of Clearspace and we continue to make these improvements. Thats why we recommend keeping your custom code base up-to-date with the latest bug fix releases in order to take advantage of these improvements.
I will circle up with the security team to see what sort of documentation we can get there, in the mean time please feel free to post more specific questions about it here.
Hope that helps,
Has there been any progress on this front? Our security team is concerned about XSS vulnerabilities. It would be nice to have a configuration best practices guide for locking down the application in levels from liberal to paranoid. It might also be nice if there were a secure channel (community, email list, etc.) to notify customers of vulnerabilities and patch info.
Did anything come out of this request from Jess Evans for a best practices doc? If yes, then is there one that reflects updates since to Engage?
The Jive editor has many macros and such that translates text to something else. For example, adding a user profile link will change to a image of card. I just want to make sure these types of convenience features don't allow a user input to execute code / surface XSS vulnerabilities.