[FLOW3-general] Security framework for escaping/ encoding output?
Helmut Hummel
helmut at typo3.org
Sat Sep 18 16:55:20 CEST 2010
Hi Georg,
On 18.09.10 15:06, Georg Ortner wrote:
>
> are you aware that you won't write any SQL in a FLOW3 Package? That's all
> handled by the Persistent Framework. After reviewing the links you posted I
> don't understand what benefit that would have for FLOW3. Or do I miss
> something important?
Well, SQL is not the only target where untrusted can go to. Three of the
four links I posted were about Cross Site Scripting (and how to prevent
it), which has nothing to do with SQL, but with HTML (and JavaScript).
Beeing a web programming framework FLOW3 (and fluid beeing part of it)
is designed to output HTML isn't it?
If you carefully read the resources I posted you probably learn that
properly escaping data for HTML is not a nobrainer and in some cases you
are _not_ safe only applying htmlspecialchars before outputting
untrusted data.
That's why I suggest to have a clean (and secure) API to escape the
output for the different HTML contexts. That is what ESAPI provides
(besides much more which is probably not needed for FLOW3).
Last but not least, the different storage backend of the persistence
framwork have to cope with SQL. Escaping has to be done there as well.
OK, this might not be something a "regular" FLOW3 develpoper (using high
level APIs) has to cope with, but still a nice API for escaping data for
the different SQL dialects would still be nice.
Regards Helmut
More information about the FLOW3-general
mailing list