Ok, I've read http://forums.asp.net/1/388929/ShowPost.aspx#388929 and looked over PortalSecurity's InputFilter method.

What I don't understand is I don't see this method used very often in the DNN source. As a matter of fact, I don't think many modules use this method. I see the InputFilter method called by places where the public can enter data (like signin and user registration), but not used to validate every user input.

Do most DNN modules assume that users with Edit permission are trusted? That may be a dangerously naïve assumption.

I checked the Forum Module since that is a module that expects input from many users (who may not all be trusted). Forum Module calls InputFilter for the body of the message, but not the Subject. So a subject like

<SCRIPT>alert('hello');</SCRIPT>

can be entered with disturbing results.

I did more homework on this issue and I think that DNN sites that grant broad sets of users Edit permissions on some modules may need to tighten up the input and output handling on those modules. It appears that many modules are not encoding or filtering user input before displaying it.

I'm interested in what other people are doing. I wrote up some of what I learned at http://www.accidentalarchitect.com/Home/tabid/68/EntryID/19/Default.aspx and put a little demo of what I think is a good way to encode and filter user input at http://www.accidentalarchitect.com/encode.aspx. Please let me know what you think.

I did a little more homework.

Here is a quick test for you all.

1. Set up the standard DNN FAQ module on a page.
2. Edit the module settings and grant Edit Permissions to all users.
3. Go to the FAQ module as a non-admin user.
4. Select Add a new FAQ.
5. For Question or Answser: Set the Texteditor to  "Basic Text Box", then text mode to "Raw"
6. Enter a Question like <SCRIPT>alert('hello');</SCRIPT>

It seems that many (if not all) modules in DNN are presently designed to trust user input. Anyone building a large portal where a large group of users is allowed to edit certain modules must be carfeul. Before you grant edit permission on any module to a group of users, you may want to test each input with a simple <SCRIPT> payload.