Protecting Your Elgg Site

Written by Rodolfo Hernandez Wednesday, 24 November 2010

Some people are telling Elgg users to disable a plugin called “HTMLAWED plugin” ( a plugin that comes as default in every Elgg install) so that they can embed content. This is not recommended.

The plugin mentioned above stops users from adding arbitrary HTML/PHP code onto your site that could break your site design and might even allow phishers to embed code in order to steal their passwords.

So, no matter what someone say, do not disable HTMLAWED. It could not only harm your website, but also harm/overload our servers. Not so long ago, there was a website in which someone uploaded a php script that overloaded one of Arvixe’s servers. It turned out that HTMLAWED was disabled and someone added a harmful code onto the site.

For more info about Elgg hosting solutions please visit Arvixe-Elgg Hosting

Happy Hosting!

Rodolfo Hernandez

Tags: , , , , , , , , , , , ,

This entry was posted on Wednesday, November 24th, 2010 at 8:24 pm and is filed under Elgg, Security/Vulnerability. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

2 Comments

  1. Rapid Search   |  Wednesday, 08 December 2010 at 12:30 pm

    Excuse me, how to configure htmlawed to allow media embed?
    Thx before.

  2. Rodolfo Hernandez   |  Sunday, 12 December 2010 at 2:15 pm

    Go to mod/htmlawed

    Open the file start.php

    Look for this line:

    ‘schemes’ => ‘*: http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto;’
    . ‘style: color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float’

    Add any needed html tag. For instance, after the tag “float”, we add “embed” so that we can embed content in elgg.

Leave a Reply






− 7 = two