Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Update the security page to talk about the fact that parameter names must not contain special characters. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
8cec7dcae84d53cd0ee24bd8acb7742a |
User & Date: | drh 2018-03-29 15:32:05.718 |
Context
2018-03-30
| ||
11:19 | Fix typo in the security.md page. (check-in: f32ee075ea user: drh tags: trunk) | |
2018-03-29
| ||
15:32 | Update the security page to talk about the fact that parameter names must not contain special characters. (check-in: 8cec7dcae8 user: drh tags: trunk) | |
2018-03-28
| ||
20:25 | Update the built-in SQLite to the first 3.23.0 beta. (check-in: 127706d944 user: drh tags: trunk) | |
Changes
Changes to docs/security.md.
︙ | ︙ | |||
29 30 31 32 33 34 35 | disable this protection on a case-by-case basis. 3. Cookies, query parameters, and POST parameters are automatically decoded before they reach application code. There is no risk that the application program will forget a decoding step or accidently miscode a decoding operation. | > > > > > > | | | 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | disable this protection on a case-by-case basis. 3. Cookies, query parameters, and POST parameters are automatically decoded before they reach application code. There is no risk that the application program will forget a decoding step or accidently miscode a decoding operation. 4. Cookies, query parameters, and POST parameters are silently discarded unless their names begin with a lower-case letter and contain only alphanumerics, underscores, and minus-signs. Hence, there is not risk that unusual parameter names can cause quoting problems or other vulnerabilities. 5. Reply text generated using the "wapp-subst" and "wapp-trim" commands automatically escapes generated text so that it is safe for inclusion within HTML, within a javascript or JSON string literal, as a URL, or as the value of a query parameter. As long as the application programmer is careful to always use "wapp-subst" and/or "wapp-trim" to generate replies, there is little risk of injection attacks. 6. If the application is launched on a command-line with the --lint option, then instead of running the application, Wapp scans the application code looking for constructs that are unsafe. Unsafe constructs include things such as using "wapp-subst" with an argument that is not contained within {...}. Part of what makes Wapp easy to use is that it helps free application developers from the worry of accidently introducing security vulnerabilities |
︙ | ︙ |