Documentation Center

UGC website security

Rating and commenting functionality creates new entry points for website visitors, and brings with it the risk of compromising security. Specifically, the web service endpoint and the website itself are potentially vulnerable for attack. This topic explains some of the security concerns surrounding User Generated Content, and how you can address them.

UGC Moderation Service and Community Service authentication (OAuth)

You can implement authentication for your Content Porter web service. If you already have authentication set up for the web service, configure UGC Moderation Service and Community Service end points in Content Manager.

Accessing the UGC Moderation Service and Community Service through SSL (HTTPS connection)

If you have set up your UGC Moderation Service and Community Service to be only accessible through HTTPS, configure User Generated Content on the Content Manager to access the UGC Moderation Service and Community Service.

SQL injection in comment forms

User Generated Content uses Hibernate to prevent SQL statements in comment forms from being executed. Visitors cannot manipulate your database using commenting.

JavaScript injection or other web code injection in comment forms

On your website, you can edit a whitelist of allowed HTML elements in submitted comments. Any tags not listed in this whitelist are stripped out of the comment. By default, the whitelist only lets commenters include links to HTTP resources, preventing JavaScript injection, and opens those links in a new tab or window. Of course, you can edit the whitelist to disallow any links of any kind, or even any HTML at all.

Comment flooding and mass rating or comment voting

By default, User Generated Content is not set up to prevent visitors from posting multiple comments on the same content, rating the same content multiple times, or downvoting or upvoting a comment multiple times. This makes it easier to demonstrate the functionality of the product, for example, to show how multiple downvotes cause a comment to 'drop off' the webpage.

However, this also leaves open the possibility for abuse. Malicious visitors can flood a webpage with comments, downvote a comment into nonexistence, or rate content any way they want.

You can prevent this by activating one of the Content Validators that the products ships with, or by building a new Content Validator yourself.