Any system that can either display code in a browser, or have code inputted into it, needs protections built in to ensure that these functions cannot be used to breach security. This article explains what we do.
Display of Code in Survey Content.
All data presented to the browser of someone viewing a survey page is encoded. This makes it appear as plain text, not code, and therefore any malicious code entered into the survey cannot execute.
In certain circumstances, we may also sanitise the input and outright remove it. For security reasons, we do not publish precise criteria for this.
Code in Survey Responses
We have a WAF (Web Application Firewall) in place that challenges or blocks any malicious code that is inputted into surveys. This means it won't reach our servers and instead it gets blocked at the proxy edge.
Why Doesn’t SmartSurvey fully sanitise inputs?
There are several use cases where code may form a legitimate part of a survey or form response. Bug reporting, and technical tests may require respondents to read questions with, or submit answers with, content that may look like an SQL injection, and if we sanitised these sorts of answers then the important meaning would be lost. So, we encode the data instead so it is safe to render in a browser, and only sanitise in specific circumstances where we detect malicious elements.