UGC website security

Rating and commenting functionality creates new entry points for website visitors, and brings with it the risk of compromising security. Specifically, the web service endpoint and the website itself are potentially vulnerable for attack. This topic explains some of the security concerns surrounding User Generated Content, and how you can address them.

SQL injection in comment forms

User Generated Content uses Hibernate to prevent SQL statements in comment forms from being executed. Visitors cannot manipulate your database using commenting.

JavaScript injection or other web code injection in comment forms

On your website, you can edit a whitelist of allowed HTML elements in submitted comments. Any tags not listed in this whitelist are stripped out of the comment. By default, the whitelist only lets commenters include links to HTTP resources, preventing JavaScript injection, and opens those links in a new tab or window. Of course, you can edit the whitelist to disallow any links of any kind, or even any HTML at all.

Comment flooding and mass rating or comment voting

By default, User Generated Content is not set up to prevent visitors from posting multiple comments on the same content, rating the same content multiple times, or downvoting or upvoting a comment multiple times. This makes it easier to demonstrate the functionality of the product, for example, to show how multiple downvotes cause a comment to 'drop off' the webpage.

However, this also leaves open the possibility for abuse. Malicious visitors can flood a webpage with comments, downvote a comment into nonexistence, or rate content any way they want.

You can prevent this by activating one of the Content Validators that the products ships with, or by building a new Content Validator yourself.