[FLOW3-general] Security framework for escaping/ encoding output?
Georg Ortner
go at simplaweb.at
Sat Sep 18 15:06:40 CEST 2010
Hi Helmut,
are you aware that you won't write any SQL in a FLOW3 Package? That's all
handled by the Persistent Framework. After reviewing the links you posted I
don't understand what benefit that would have for FLOW3. Or do I miss
something important?
Regards
George
On Fri, Sep 17, 2010 at 11:47 AM, Helmut Hummel <helmut at typo3.org> wrote:
> Hi,
>
> while again having a look into the nice ESAPI framework[1], I wondered
> if anything similar is already present in FLOW3.
>
> Having such an API in place does not only provide proper escaping, but
> also raises awareness that escaping has to be done respecting the
> context where untrusted data is ultimatly landing.[2][3][4]
>
> Would be nice if someone could tell me if something is there so that I
> can have a look at it.
>
> If nothing is there yet, using ESAPI (at least parts of it) should be
> seriously considered.
>
> Regards Helmut
>
> [1]http://code.google.com/p/owasp-esapi-php/wiki/Welcome
> [2]http://code.google.com/docreader/#p=doctype&s=doctype&t=ArticlesXSS
> [3]
> http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
> [4]http://acko.net/blog/safe-string-theory-for-the-web
> _______________________________________________
> FLOW3-general mailing list
> FLOW3-general at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>
More information about the FLOW3-general
mailing list