As of April 2023, Brandfolder enhanced its security to include better text sanitization on text input fields to reduce the risk of cross-site scripting attacks.
Why the change?
Cross-site scripting attacks can affect well-intentioned users in severely damaging ways. Nefarious links added to asset descriptions or other text inputs can be used to steal user data and assets, publish private user information, and view sensitive information without a user realizing it.
According to the Open Worldwide Application Security Project (OWASP), "An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.”
The robust and comprehensive text sanitization solution added keeps you and your assets safe from these attacks. This ensures you do not fall victim to malicious links in Brandfolder. These changes are essential to provide you with the highest level of security and to ensure that Brandfolder stays healthy and operational.
The largest impact is on HTML input fields where you can add your own anchor links. Changes include:
- HTML input fields will only accept anchor links from a list of trusted domains.
- When a link is not on an accepted list it will automatically be sanitized or removed.
Impacts of the change
If you have existing HTML anchor links that don't meet the new standards they will be unaffected until you update the HTML field. Once you update the HTML field you will be unable to return it to its previous state and Brandfolder will sanitize or remove the link.
If you attempt to add new HTML links that don't meet the standards you will be unable to do so.
Product areas affected
The area that is impacted is the HTML input fields where you can add your own anchor links. Areas affected include:
- Organization descriptions
- Brandfolder descriptions
- Portal descriptions
- Collection taglines
- Workspace taglines
- Asset descriptions
- Usage agreements
- You can choose to not edit existing HTML links, which will keep them intact.
- You can add links via buttons on the Brandfolder show page.
- You can include mail to links.
- You can use telephone links.
- You can use link to asset card in the asset modal.
- A lot of domains for common websites will still be supported, so you can attempt to insert their anchor links.
- You can request that your domain be added to the Brandfolder allowlist by reaching out firstname.lastname@example.org or your designated Brandfolder contact.
- You can use relative links.
- You can paste the URL as plain text. For example:
- Instead of typing <a href="https://external_domain.com>CLICK ME</a>
- Type: Visit https://external_domain.com for our policy.