Text sanitization

Brandfolder implements enhanced security, including stronger text sanitization in text input fields, to reduce the risk of cross-site scripting attacks.

Who can use this?

Plans:

  • Brandfolder

Why does this matter?

Cross-site scripting attacks can severely damage well-intentioned users. Nefarious links added to asset descriptions or other text inputs can steal user data and assets, publish private user information, and view sensitive information without a user realizing it.

According to the Open Worldwide Application Security Project (OWASP):

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser cannot know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

The robust and comprehensive text sanitization solution protects you and your assets from these attacks. It ensures you don't fall victim to malicious links in Brandfolder. 

These changes are essential to providing you with the highest level of security and ensuring that Brandfolder stays healthy and operational. 

What's the impact?

The most significant impact is on HTML input fields, where you can add anchor links. Changes include:

  • HTML input fields only accept anchor links from a list of trusted domains.
  • When a link isn't on an accepted list, it;s automatically sanitized or removed. 

If you have existing HTML anchor links that don't meet the new standards, they're unaffected until you update the HTML field. Once you update the HTML field, you can't return it to its previous state, and Brandfolder sanitizes or removes the link. 

You can't add new HTML links that don't meet the standards. 

Product areas affected

The area affected is the HTML input fields where you can add anchor links. 

Areas affected include:

  • Organization descriptions 
  • Brandfolder descriptions
  • Portal descriptions
  • Collection taglines
  • Workspace taglines
  • Asset descriptions
  • Usage agreements 

Alternative methods

  • Don't edit existing HTML links; keep them intact. 
  • Add links via buttons on the Brandfolder show page.
  • Include mail-to links.
  • Use telephone links. 
  • Use the link to the asset card in the asset modal. 
  • A lot of domains for standard websites continue to be supported, so you can attempt to insert their anchor links. 
  • Request your domain to be added to the Brandfolder allowlist by contacting Brandfolder support or your designated Brandfolder contact.
  • Use relative links. 
  • Paste the URL as plain text. For example,  instead of typing <a href="https://external_domain.com>CLICK ME</a>, type: Visit https://external_domain.com for our policy.