[cl-weblocks-ticket] #34: Sanitize input to prevent cross-site scripting and SQL injection
#34: Sanitize input to prevent cross-site scripting and SQL injection ---------------------------------------------------------+------------------ Reporter: sakhmechet | Owner: sakhmechet Type: defect | Status: new Priority: high | Milestone: 0.1 Component: weblocks | Version: pre-0.1 Keywords: cross-site scripting SQL injection sanitize | ---------------------------------------------------------+------------------ We should sanitize form input to prevent cross-site scripting and SQL injection. Sanitation should ideally be done in a centralized place (in particular, request-object-mapping).
#34: Sanitize input to prevent cross-site scripting and SQL injection -------------------------+-------------------------------------------------- Reporter: sakhmechet | Owner: sakhmechet Type: defect | Status: new Priority: medium | Milestone: 0.1 Component: weblocks | Version: pre-0.1 Resolution: | Keywords: cross-site scripting SQL injection sanitize -------------------------+-------------------------------------------------- Changes (by sakhmechet):
* priority: high => medium
#34: Escape HTML outputted by 'render-data' to prevent XSS attacks -------------------------+-------------------------------------------------- Reporter: sakhmechet | Owner: sakhmechet Type: defect | Status: new Priority: medium | Milestone: 0.1 Component: weblocks | Version: pre-0.1 Resolution: | Keywords: cross-site scripting SQL injection sanitize -------------------------+-------------------------------------------------- Changes (by sakhmechet):
* summary: Sanitize input to prevent cross-site scripting and SQL injection => Escape HTML outputted by 'render- data' to prevent XSS attacks
Comment:
The goals of this ticket are too broad and ill defined. SQL injection is an unrelated issue and input sanitation depends on the type of data. For now we should change the goal to escaping HTML outputted by 'render-data' since all widgets [should] use it for rendering.
#34: Escape HTML outputted by 'render-data' to prevent XSS attacks -------------------------+-------------------------------------------------- Reporter: sakhmechet | Owner: sakhmechet Type: defect | Status: closed Priority: medium | Milestone: 0.1 Component: weblocks | Version: pre-0.1 Resolution: fixed | Keywords: cross-site scripting SQL injection sanitize -------------------------+-------------------------------------------------- Changes (by sakhmechet):
* resolution: => fixed * status: new => closed
Comment:
Fixed. 'render-data' now escapes all output.
cl-weblocks-ticket@common-lisp.net
-
cl-weblocks