Hosting / security work

[edjw]

The site is currently hosted on Digital Ocean. We need to decide if we keep it there or put it on Bytemark.

Then point the right domain at the PESIA

Some security testing is required. The install.php file shouldn’t be on the public website for example. Turn off public registration of admin users

Dan thinks cross-site scripting is a concern and I agree.

[dantheta]

The best fix for the XSS issues I can think of is switching the views (page templates) from raw PHP to a templating language like twig. This automatically tracks the origin of each of the variables (such as query string parameter or database entry) and renders the values safely. This wouldn't actually take that long, and would also make the view templates easier to read and work on in the future (which would be useful when applying the designer's styling).