The audit will be on https://gitlab.com/tikiwiki/tiki/-/tree/24.x which can also be fetched from https://dev.tiki.org/Daily-Build or use 24.2

If some features are too difficult to secure, we move them to https://doc.tiki.org/Risky-Preferences

On a default install, users are encouraged to use these profiles:
https://profiles.tiki.org/Featured+Profiles#Featured_profiles_from_Tiki_21.x_up_to_Tiki_24.x

Otherwise, here are the priorities:

High

• Risky code in vendor_bundled
• Security related features (are they working/helping?)
  • tiki-admin.php?page=security
  • tiki-admin_security.php
  • enygma/expose (the package): https://doc.tiki.org/Intrusion-Detection-System
• Registration / user system / User trackers / LDAP / OpenID Connect / SAML
• Wiki pages
• Trackers
• Modules: https://doc.tiki.org/Module
• Basic features as per https://dev.tiki.org/Create-a-new-preference#tags_array_

Medium

• https://doc.tiki.org/Shared-Secrets
• Forums and comments
• Advanced features as per https://dev.tiki.org/Create-a-new-preference#tags_array_
• https://doc.tiki.org/Profiles

Low

• tiki-check.php
• https://doc.tiki.org/Packages
  • mpdf/mpdf https://doc.tiki.org/mPDF
  • tikiwiki/diagram https://doc.tiki.org/Diagram
  • npm-asset/recordrtc https://doc.tiki.org/Record-screen-audio-video
  • npm-asset/pdfjs-dist-viewer-min https://doc.tiki.org/PDF.js-viewer
• https://doc.tiki.org/Manager (CLI only, not the web interface)

Excluded

• Experimental features as per https://dev.tiki.org/Create-a-new-preference#tags_array_
• Deprecated features as per https://dev.tiki.org/Create-a-new-preference#tags_array_