External Linking to elgg websites

In elgg, its qualifiable wyswing editor allows to edit the html source code.

My questions is

1. Editing HTML source code allows hackers to put malicious javascript codes and run mal contents to users ?

2. If it the source can be edited, hackers can redirect to a malicious website using anchor texts?

how we can solve situations related to above?



  • 1. No they can't - give it a try

    2. Yes, anyone can post a link to anywhere, including malicious sites.  There has to be some level of trust somewhere, otherwise you can't let people post anything at all.

  • The content entered in text input fields is filtered on saving to remove dangerous code. This is done by the bundled htmlawed plugin. So, no dangerous code should remain in saved content.

    Links are not dangerous by default, so they are not filtered. So, there's always a risk that a link might point to a site that is fishy. But it's the same as with spam content. You might stop some unwanted content to be posted by already stopping the account creation of spammer by using anti-spam plugins. But some spammers might still be able to register and you would have to remove the content and the spammer's account then. So, you would need to keep an eye out on other unwanted content in the same way or hope for a user reporting it before any harm's done.

  • Thanks Matt and iionly , then for second issue we need develop an anti spy application which should validate each link before get posted, i am trying to protect all users of our website because some will not update their anti-worm application in system.

    can anyone explain about how we can identify a webpage have malwares, what criteria we need to consider for that. I think scanning the source code will be a better option, but from that how we can identify which is malicious code blocks and which are not

  • There is also another option, open all external links with in a wrapper by your site itself and add a top banner, to get feedback from the user whether its a spam / malicious link. If they say yes, return them to your site itself and flag the content (so that other users wont click on same link again). If they say "no", then you can open the external site in another tab. Depending on the aggregrate rating, you can flag the content as spam / malicious and remove fom your site with a cron job.

  • Thanks Team Webgalli

    It is also a good option which give users to say whether the link posted have malware or not, but there arise some problems ,

    1. spammers(are also users) can put a negative to the fine links posted by good users, there good information is get lost for all users and set discouraging good users who posting valuable information,

    2. There will be atleast one victim for every attack according to the above policy. It is our responsiblity to protect and to make awareness for each and every user about malicious attacks comming through our websites