[FLOW3-general] Security framework for escaping/ encoding output?
Andreas Förthner
andreas.foerthner at netlogix.de
Mon Sep 20 09:33:57 CEST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Helmut,
in general I can say that we considered escaping, of course ;-) I also know the ESAPI framework for quite some time now and definitely want to go for something like that.
> > Thirdly, three of the four links Helmut posted were not about handling
> > data which goes into the Persistent Framework, but about data which is
> > sent back to the visitor.
>
> Exactly.
This is currently only implemented within Fluid. I think Sebastian knows more exactly what is when escaped. Of course we will have to review this from a security point of view, but I'm quite confident that this is done in a really good way, as Sebastian also knows about the security problems we currently have in third party extensions.
>
> > From a security point of view you can't even
> > trust the data which is not hard coded or calculated in the application;
> > data from a database is also 'unsafe', simply because its origin is
> > unknown.
>
> Exactly. Persited data (tend to) have different origins. If you want to
> send it back to the user, it has to be properly escaped for the context
> it is outputted to (mostly probably beeing HTML)
>
> > This is probably a task for the ViewHandlers, but then the
> > question is if these are designed to handle it.
>
> Exactly. In real life projects you will have to write your own view
> helpers and within them, you need to escape your data.
Yep, this is true. As far as I know there is no API in ViewHelpers at the moment, but as I said we want to have something like ESAPI here.
In regards of SQL and incoming data, we have the concept of validators and filters, that will be applied to every parameter and every persisted property. The infrastructure is in place, what's missing is a bunch of filters and more validators that have to be provided by the framework.
Hope I could help a bit to answer your questions.
Greets Andi
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.0.0 (Build 2881)
Charset: Windows-1252
wpUDBQFMlw5nVm6TtY1gxQoBCJ6lA/965J2uwzIBfwkM+J9LMjWIql0ngBb7A/79
xfys9YrkmJYbqTaADmy+E89KdvMNGOQ8mlpOSamMUq56pD688N6IZlK9IcwpTRFi
NHrkoEzcWUHzFwVfqBpop1Ivf5Hs9sd7B3szxry0S8cnQfuMGu6WCJLgitDaWCBO
BKFafWsHDw==
=njeZ
-----END PGP SIGNATURE-----
More information about the FLOW3-general
mailing list