I noticed today that the UDT module has a nice "Filter input for markup code or script input" checkbox in its settings. Dont know how they've implemented it, though. However, the option is absent in most of DNN's core modules. Why can't the same be done on all core modules?.
 

Sebastian, thanks for the update. I'm at 4.9.1 of the core at the moment. What I feel is that these filtering functions should've been there (as an option checkbox, of course) in all core modules anyway as even if they are meant to be accessible only to authenticated users/roles, it will provide some protection against these users/roles intentionally or unintentionally inputting undesirable content. Of course, this is rather a trust issue as whoever you are delegating powers to have to be a trusted entity, but what if I have a site where there are a substantial no. of roles and users?

I notice that you're also on the UDT Module Project. I also noted that in the UDT module, the input filter you've implemented is server-side, i.e., it doesn't actually prevent scripts/html from being inputted. Rather, it looks like the stripping is done after submission server-side. Can't ASP.NET validation controls be used to filter out the junk client-side (when JS is enabled) and server-side (when JS is disabled)? That, IMHO, would increase reponsiveness/performance and stop the junk from being inputted in the first place. What are your thoughts on this?

Hi Brandon,

Thank you for chirping in on this. Yes, I agree that malicious script/markup has always been filtered/stripped away server-side and this *might* have been implemented on all core modules. What I fail to understand is why then was it necessary to have a "Filter against script" checkbox for the UDT module and not for other modules? My limited understanding is that this feature *might* have been provided in a scenario where HTML inputs are required and allowable, at least for authenticated users/roles for this particular module.  In such a scenario, the checkbox shouldn't be checked, and the server-side validation routines would also not strip out the input-I just verified this by entering in some html and script with the filter checkbox disabled-The html was rendered as desired and the sript also fired off (Sebastian would like to throw more light on this, though). If what I said is right (please correct me if I'm wrong), then the same situations should be applicable to all modules. I mean, wouldn't it be great if such a checkbox was implemented, for e.g. in the Text/HTML module where security concerns required that script/html/SQL shouldn't be allowed?

What you said in the 2nd para of your response led me to believe that ASP.NET validator controls might help in reducing server round trips, but they do not work server-side. But I believe they work both ways. If I'm correct, then why not incorporate them in all core modules anyway as they provide both the benefits-performance and security.