XSS filtering recommendation?
How Do I?
Dear EE forum,
What is the latest EE recommendation on activating XSS filtering in the control panel?
The security guidelines (https://ellislab.com/expressionengine/user-guide/development/guidelines/security.html) seem to imply that it should be ON. I did notice that turning it on in the config file converts any HTML comments in channel entries into visible gibberish when entries are updated. Is there any way to avoid this, for example by turning off filtering for entry updates, or by excluding HTML comments from a list of specialcharred tags somewhere?
On the other hand, this post: https://mithra62.com/blog/view/why-you-should-care-about-securitee says that “ExpressionEngine recommends disabling XSS filtering though YOU SHOULDN’T”, although I haven’t been able to find anything to that effect on EE sites.
What is the “official” EE stance on XSS filtering?
Misha