click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Schellink <sab...@gmail.com>
Subject Re: 2.0.1 Roadmap
Date Tue, 24 Feb 2009 22:18:29 GMT
florin.g wrote:

> - Built in security (cross site, sql injection, etc.) 


I think SQL injection is better handled by the DB layer e.g. an ORM or 
PreparedStatement.

As for XSS attacks Click controls provides some protection by escaping 
their values before rendering. However XSS will still be possible 
through Velocity variables unless they are escaped using 
Format#html(String):

$format.html($msg)

Velocity also provides a property to escape all variables or 
optionally to escape only variables matching a certain expression.

Still the best way is probably through an XSSFilter which ensures all 
HTML entities are escaped. Is this what you had in mind or something else?

kind regards

bob


Mime
View raw message