Currently, XSS protection relies on AntiSamy for content that includes HTML (e.g., Blog entries). This has a few drawbacks:
- AntiSamy relies on pattern matching which means it's only as good as the pattern that is used to find scripts.
- AntiSamy prevents non-malicious scripts from working
- AntiSamy is a 3rd party library
Serve each blog entry in it's own sandboxed iframes. This has the advantage of:
- One less library to rely on
- Security will handled by the browser, i.e., admins don't need to deploy a new version of DXP to get a fix
- Blog writers can include non-malicious scripts in their blog entries.