click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Schellink <sab...@gmail.com>
Subject Re: How well does a Click app hold against these 10 security risks?
Date Tue, 20 Apr 2010 23:15:04 GMT
Hi George,

On 20/04/2010 22:33, georgex wrote:
> 
> How well does a typical Click webapp hold against the following 10 security
> risks?
> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


I'm not aware of any effort to make Click apps secure against the OWASP top 10 (interesting
effort),
so if your application is publicly hosted and contains sensitive data, make sure you understand
security well or find a security expert to help out.

That said:

A1(injection): shouldn't be a problem with ORM's or PreparedStatements
A2(XSS): Click controls escape their values at rendering time, however Velocity variables
are *not*
escaped by default so if you reference untrusted code through a Velocity variable make sure
you
escape it e.g:

  $format.escape(customer.description)

The rest of the list seems quite application specific and won't be handled by Click automatically.

kind regards

bob


Mime
View raw message