Opened 18 years ago
Closed 18 years ago
#34 closed defect (fixed)
Escape HTML outputted by 'render-data' to prevent XSS attacks
| Reported by: | Slava Akhmechet | Owned by: | Slava Akhmechet |
|---|---|---|---|
| Priority: | medium | Milestone: | 0.1 |
| Component: | weblocks | Version: | pre-0.1 |
| Keywords: | cross-site scripting SQL injection sanitize | Cc: |
Description
We should sanitize form input to prevent cross-site scripting and SQL injection. Sanitation should ideally be done in a centralized place (in particular, request-object-mapping).
Change History (3)
comment:1 Changed 18 years ago by
| Priority: | high → medium |
|---|
comment:2 Changed 18 years ago by
| Summary: | Sanitize input to prevent cross-site scripting and SQL injection → Escape HTML outputted by 'render-data' to prevent XSS attacks |
|---|
comment:3 Changed 18 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed. 'render-data' now escapes all output.
Note: See
TracTickets for help on using
tickets.
The goals of this ticket are too broad and ill defined. SQL injection is an unrelated issue and input sanitation depends on the type of data. For now we should change the goal to escaping HTML outputted by 'render-data' since all widgets [should] use it for rendering.