[FLOW3-general] Security framework for escaping/ encoding output?

[Helmut Hummel]

Hi,

On 18.09.10 16:03, Jigal van Hemert wrote:

> Thirdly, three of the four links Helmut posted were not about handling 
> data which goes into the Persistent Framework, but about data which is 
> sent back to the visitor. 

Exactly.

> From a security point of view you can't even 
> trust the data which is not hard coded or calculated in the application; 
> data from a database is also 'unsafe', simply because its origin is 
> unknown. 

Exactly. Persited data (tend to) have different origins. If you want to
send it back to the user, it has to be properly escaped for the context
it is outputted to (mostly probably beeing HTML)

> This is probably a task for the ViewHandlers, but then the 
> question is if these are designed to handle it.

Exactly. In real life projects you will have to write your own view
helpers and within them, you need to escape your data.

> Helmuts questions seem al very valid to me.

Yes, they are. :)

I ask these questions out of our experience in the security team where
we have to cope with always the same security problems, which derive
from lacking a proper API and lacking knowlege. The latter is a matter
of teaching, which would be much easier if we could simply teach the
developers to use the right API.

Regards Helmut