Text sanitization

Brandfolder uses text sanitization on text input fields to reduce the risk of cross-site scripting attacks.

Who can use this?

Plans:

  • Brandfolder

As of April 2023, Brandfolder enhanced its security to include better text sanitization on text input fields to reduce the risk of cross-site scripting attacks.

Why?

Cross-site scripting attacks can severely damage well-intentioned users. Nefarious links added to asset descriptions or other text inputs can steal user data and assets, publish private user information, and view sensitive information without a user realizing it.

According to the Open Worldwide Application Security Project (OWASP), "An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser cannot know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.”

The robust and comprehensive text sanitization solution protects you and your assets from these attacks. It ensures you do not fall victim to malicious links in Brandfolder. These changes are essential to providing you with the highest level of security and ensuring that Brandfolder stays healthy and operational.

What changed?

The most significant impact is on HTML input fields where you can add anchor links. Changes include:

  • HTML input fields only accept anchor links from a list of trusted domains.
  • When a link is not on an accepted list, it is automatically sanitized or removed. 

If you have existing HTML anchor links that don't meet the new standards, they will be unaffected until you update the HTML field. Once you update the HTML field, you can't return it to its previous state, and the Brandfolder will sanitize or remove the link.

If you attempt to add new HTML links that don't meet the standards, you will be unable to do so.

Product areas affected

The area impacted is the HTML input fields, where you can add anchor links. Areas affected include:

  • Organization descriptions 
  • Brandfolder descriptions
  • Portal descriptions
  • Collection taglines
  • Workspace taglines
  • Asset descriptions
  • Usage agreements 

Alternative methods

  • Do not edit existing HTML links, which will keep them intact. 
  • Add links via buttons on the Brandfolder show page.
  • Include mail-to links.
  • Use telephone links. 
  • Use the link to the asset card in the asset modal. 
  • A lot of domains for standard websites will still be supported, so you can attempt to insert their anchor links. 
  • Request your domain to be added to the Brandfolder allowlist by contacting Brandfolder support or your designated Brandfolder contact.
  • Use relative links. 
  • Paste the URL as plain text. For example,  instead of typing <a href="https://external_domain.com>CLICK ME</a>  type: Visit https://external_domain.com for our policy.