Deprecated User Generated Content (UGC) feature
The User Generated Content (UGC) functionality (deprecated in SDL Tridion Sites as from SDL Tridion Sites 9.1, but a core feature in SDL Tridion Docs) allows your website visitors to rate and comment on content.
UGC requires its own database and ships with capabilities in the form of microservices (CIS) in the Content Delivery environment. The database contains comments and ratings. The microservices are added to the existing installation and synchronize visitor and moderator entries.
The architecture implements a safe decoupled model, which means that you do not need to allow inbound traffic for UGC.
As for security, the security level of UGC heavily depends on how secure you make it. SDL strongly recommends integrating your UGC implementation with existing authorization and authentication frameworks. In addition, UGC includes measures that prevent SQL statements in comment forms from being executed. As such, visitors cannot manipulate your database using commenting. Any tags not listed in the whitelist are stripped out of the comment. By default, the whitelist only lets commenters include links to HTTP resources, preventing JavaScript injection, and opens those links in a new tab or window. Of course, you can edit the whitelist to disallow any links of any kind, or even any HTML at all.