Good Security Practices for Code Injection

Introduction

Revas CMS Website Builder allows the injection of custom code to extend the functionality of the website. However, improper use of code can compromise the security and stability of the site, causing malfunctions or putting user data at risk.

:: warning Important Revas is not responsible for any damage caused by the insertion of malicious or incorrect code. The user assumes full responsibility for any malfunctions, security breaches or problems resulting from modifying the site code. :::

Understanding the Risks of Code Injection

Before adding custom code, consider the following risks:

• 🔒 Security: Insecure code can expose the site to vulnerabilities such as XSS attacks, SQL injections or data theft.
• ⚠️ Malfunctions: Incorrect code can block parts of the site or prevent it from loading properly.
• 🐌 Performance: Heavy or unoptimised scripts can slow down the site, affecting the user experience.
• ⚖️ Legal Disclaimer: Codes that violate user privacy may lead to legal problems.

Good General Practices

✅ Insert only code from trusted sources

• Use code from verified resources such as official documentation or recognised libraries.
• Avoid code copied from unknown forums or sites without careful review.

✅ Avoid the inclusion of insecure external scripts

• Use only HTTPS scripts, never HTTP.
• Check that external services comply with privacy regulations (e.g. GDPR).

✅ Test code in a separate environment

• Before implementing it in the live site, test the code in a development or staging environment.
• Use tools such as the browser console or code editor to detect errors.

✅ Document the code

• Write clear comments on what the code does to facilitate maintenance.

✅ Keep the code up-to-date

• If you use third-party libraries, make sure they are up-to-date to avoid vulnerabilities.

Prevention of Malicious Code

🚫 Avoid code that collects user data without consent

• Do not insert scripts that track or store data without permission.
• If you do collect information, make sure you comply with privacy regulations.

🚫 Don't use code with unchecked input/output functions

• Avoid JavaScript that accepts user input without validation.
• An XSS attack can be performed through unsanitised input.

🚫 Do not use code with access to sensitive resources

• Avoid manipulating user sessions or credentials with insecure JavaScript.
• Do not insert scripts that access sensitive data such as cookies or local storage.

Security Specification for HTML, CSS and JavaScript

🔹 HTML

• Avoid excessive use of <iframes>, especially if they come from unsafe sites.
• Do not include onerror, onclick or other inline events with unchecked dynamic code.

🔹 CSS

• Avoid @import of CSS files from unknown sources.
• Don't use expression() in CSS, an obsolete and vulnerable function.

🔹 JavaScript

• Do not use eval(), document.write(), innerHTML without sanitisation.
• Use addEventListener() instead of onclick inline.
• Sanitise user input with escaping functions.

Monitoring and Maintenance

✅ Check code periodically

• Regularly review injected code to make sure it is not outdated or insecure.

✅ Use security tools

• Use security scanners such as Google Safe Browsing to check the site.
• Use the browser's DevTools to analyse any errors in the included files.

✅ Make backups before modifying code

• Before injecting new code, save a copy of the previous code to avoid data loss.

:: tip Always follow these good practices to ensure a safe and reliable implementation. :::

Important

Revas takes no responsibility for damage or malfunctions resulting from custom code entered by users.