click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Schellink <sab...@gmail.com>
Subject Re: How well does a Click app hold against these 10 security risks?
Date Tue, 20 Apr 2010 23:36:16 GMT
It should be plausible to handle A4 (direct object reference) through a custom HiddenField
and
ActionLink. In a future release of Click we could ship such controls.

regards

bob


On 21/04/2010 09:15, Bob Schellink wrote:
> Hi George,
> 
> On 20/04/2010 22:33, georgex wrote:
>>
>> How well does a typical Click webapp hold against the following 10 security
>> risks?
>> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
> 
> 
> I'm not aware of any effort to make Click apps secure against the OWASP top 10 (interesting
effort),
> so if your application is publicly hosted and contains sensitive data, make sure you
understand
> security well or find a security expert to help out.
> 
> That said:
> 
> A1(injection): shouldn't be a problem with ORM's or PreparedStatements
> A2(XSS): Click controls escape their values at rendering time, however Velocity variables
are *not*
> escaped by default so if you reference untrusted code through a Velocity variable make
sure you
> escape it e.g:
> 
>   $format.escape(customer.description)
> 
> The rest of the list seems quite application specific and won't be handled by Click automatically.
> 
> kind regards
> 
> bob
> 
> 



Mime
View raw message