Server Side Includes (SSIs) are frequently used on web sites to provide dynamic page content or to simplify site administration by using a single header and footer file for all pages. In fact, DiscusWare uses both of these techniques on our own site. However, if improperly set up, SSIs can pose a security risk to a site.

The Discus program is configured to strip SSIs from all input. Any input resembling an SSI will be dropped automatically from any interface.

If a user or administrator attempts to enter any text into Discus forms that are formatted as SSIs, the Discus software disregards that input automatically. This precaution is taken for sites which would allow the processing of SSIs on their sites, and DiscusWare does not recommend that scripts be modified to disable this important security check.

Note that this also applies to the Appearance Manager - Editor (in previous versions, the Template Manager). It also applies when "Allow arbitrary HTML" has been selected. If the board administrator needs to insert SSIs onto a page, these must be entered by manually editing that page outside of Discus.

If Discus users wish to use SSIs on their sites, it is up to the site administrator to configure the server so that the Discus message files are properly parsed. SSIs must be added by template files, not through the Discus program. DiscusWare does not support the configuration of servers (consult your server documentation) or the use of SSIs (again, consult your server documentation).

Note that CGI scripts do not parse their own results for SSIs. Thus, while it is possible to insert SSIs into templates and skins, these will not always be interpreted. SSIs will not be executed on any page produced dynamically (e.g., search results, profile editor, posting preview page). This is a limitation/precaution of CGI itself, and cannot be worked around (except for not using SSIs).

While CGIs hold potential to improve dynamic content of a page, DiscusWare recommends that users do not implement them because of the mixed CGI and static nature of the Discus user interface.