[Typo3-dev] typo3 security team

[Martin Klaus]

hi list, hi René, Peter, Andreas and Patrick

>There are a few things you can do to make code more safe. For example
output
>non-HTML content with htmlspecialchars() which is first of all a good thing
>to do anyways and second it deactivates javascript which shouldn't be
there.

>That document can describe some problems which occurs more often in web
>applications and how to deal with them.

Yes it's true, that 100% security isn't possible. But i'm very sure too,
that you can avoid the
most common (and exploited) security issues, if you follow some coding
guidlines.
And beginners should get the feeling, which things could be possible harmful
or lead to a severe security risk. (i think the key is to always have
security in mind,
when coding extensions, and mybe that is what we should try to achieve)

>So Martin, do you volunteer to start such a document? :-)

René, yes i would like to help writing such a document. But i don't have so
much time
in the moment. So I really need some help! (my english isn't that good
either, but I think
most of you are from Germany, so translation shouldn't be a problem)

As base information for our coding guidelines we could use the
top ten WebApplication- and PHP- Security Vulnerability lists (thanks
Patrick)
and an articel in c't magazine (i can mail it to you, if interested) in
german language.
Does anybody wants to do some websearch in that direction? I'm very sure
there are
many security related coding-guidline documents already out there.

Would you prefer to have a "standalone" Document?
Or do you think it would be a good idea to integrate the information in the
"extension review document" and the "inside Typo3 document"?

kindly regards,
Martin