Comments (1)
mabar
commented on July 23, 2024
2
Html context specific escaping should be done when you print data in html, because escaping is context specific. You wouldn't use data escaped for html in json and xml exports for example.
Also check how Latte escapes data, it's not as simple as just htmlspecialchars() https://blog.nette.org/en/quiz-can-you-defend-against-xss-vulnerability
Other types of vulnerabilities that make sense to check in http data of unknown type are handled well by nette/http.
And nette/database uses prepared statements the same way as PDO does for save SQL queries
from http.
Related Issues (20)
- IRequest::setCookie does mot match Request::setCookie HOT 1
- UrlImmutable should implement static get() method HOT 5
- Session id handler HOT 4
- Allow hostname in http > proxy
- Allow disabling same-site cookie
- Invalid session configuration option 'readAndClose'
- Notices are ignored on session_start() HOT 4
- SessionSection::setExpiration checks session's expiration, but session may not be started yet -> warning HOT 2
- IRequest::getFile does mot match Request::getFile
- If website has nginx restricted access by `auth_basic_user_file` $httpRequest->getUrl()->getAbsoluteUrl() returns path with auth parameters included HOT 1
- Call request->getRemoteHost() can cause to stuck app HOT 2
- Unfortunate crossover of `HTTP_HOST` and `SERVER_PORT` variables HOT 3
- Unable to set 'session.gc_maxlifetime'
- Error: Call to undefined function Nette\Http\imagetypes() HOT 5
- setCookie() expire type issue HOT 2
- Calling __toString() on FileUpload class directly can often result in type/uninitialized typed property error HOT 1
- It leads into "prepend" not "append" query
- Bad CookiePath in _nss
- FileUpload::getSanitizedName returns wrong file extension
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from http.