TL;DR
No, CMS-generated HTML is not automatically trusted and remains vulnerable to Cross-Site Scripting (XSS) attacks. Proper output encoding/escaping is crucial at every stage – in the database, when retrieving data, and before rendering it in the browser.
Understanding the Risk
Content Management Systems (CMS) like WordPress, Drupal, or Joomla allow users to create content through an admin interface. This content is then stored (usually in a database) and displayed on the website. Even though you’re using a CMS, malicious code can still be injected if input isn’t handled correctly.
Why CMS HTML Isn’t Inherently Safe
- User Input is Key: The core problem is user-supplied data. Even with an admin interface, users are providing the content that ends up in your HTML.
- Database Storage: Databases store text as text. They don’t inherently understand or prevent malicious code. A database can hold
This would execute JavaScript code when the page is loaded.
Conclusion
CMS-generated HTML is not inherently safe. You must actively protect against XSS by validating input, encoding output correctly, and implementing other security measures. Treat all user-supplied data as potentially malicious until proven otherwise.