Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Fix typo in the security.md page. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
f32ee075ea835de9b06337cc6f8e5fd9 |
| User & Date: | drh 2018-03-30 11:19:37 |
Context
|
2018-03-30
| ||
| 12:23 | Use site-absolute URLs on the README.md file. check-in: c555d600c0 user: drh tags: trunk | |
| 11:19 | Fix typo in the security.md page. check-in: f32ee075ea user: drh tags: trunk | |
|
2018-03-29
| ||
| 15:32 | Update the security page to talk about the fact that parameter names must not contain special characters. check-in: 8cec7dcae8 user: drh tags: trunk | |
Changes
Changes to docs/security.md.
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
3. Cookies, query parameters, and POST parameters are automatically
decoded before they reach application code. There is no risk
that the application program will forget a decoding step or
accidently miscode a decoding operation.
4. Cookies, query parameters, and POST parameters are silently discarded
unless their names begin with a lower-case letter and contain only
alphanumerics, underscores, and minus-signs. Hence, there is not risk
that unusual parameter names can cause quoting problems or other
vulnerabilities.
5. Reply text generated using the "wapp-subst" and "wapp-trim" commands
automatically escapes generated text so that it is safe for inclusion
within HTML, within a javascript or JSON string literal, as a URL,
or as the value of a query parameter. As long as the application
|
| |
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
3. Cookies, query parameters, and POST parameters are automatically
decoded before they reach application code. There is no risk
that the application program will forget a decoding step or
accidently miscode a decoding operation.
4. Cookies, query parameters, and POST parameters are silently discarded
unless their names begin with a lower-case letter and contain only
alphanumerics, underscores, and minus-signs. Hence, there is no risk
that unusual parameter names can cause quoting problems or other
vulnerabilities.
5. Reply text generated using the "wapp-subst" and "wapp-trim" commands
automatically escapes generated text so that it is safe for inclusion
within HTML, within a javascript or JSON string literal, as a URL,
or as the value of a query parameter. As long as the application
|