[FLOW3-general] Security framework for escaping/ encoding output?
Jigal van Hemert
jigal at xs4all.nl
Sat Sep 18 16:03:27 CEST 2010
Hi,
On 18-9-2010 15:06, Georg Ortner wrote:
> are you aware that you won't write any SQL in a FLOW3 Package? That's all
> handled by the Persistent Framework. After reviewing the links you posted I
> don't understand what benefit that would have for FLOW3. Or do I miss
> something important?
Well, so far I don't think that the Persistent Framework is capable of
handling all kinds of queries. If Extbase is representative of the
current state there are a lot of queries which have to built in your own
code.
Secondly the question is whether the Persistent Framework actually
handles this. I've found that DateTime objects are persisted as Unix
timestamps, so I wouldn't be surprised if this escaping and quoting was
also left until "later". FLOW3 is still in alpha state after all.
Thirdly, three of the four links Helmut posted were not about handling
data which goes into the Persistent Framework, but about data which is
sent back to the visitor. From a security point of view you can't even
trust the data which is not hard coded or calculated in the application;
data from a database is also 'unsafe', simply because its origin is
unknown. This is probably a task for the ViewHandlers, but then the
question is if these are designed to handle it.
Helmuts questions seem al very valid to me.
--
Kind regards / met vriendelijke groet,
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh
More information about the FLOW3-general
mailing list