Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Update the security page to talk about the fact that parameter names must not contain special characters. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
8cec7dcae84d53cd0ee24bd8acb7742a |
| User & Date: | drh 2018-03-29 15:32:05 |
Context
|
2018-03-30
| ||
| 11:19 | Fix typo in the security.md page. check-in: f32ee075ea user: drh tags: trunk | |
|
2018-03-29
| ||
| 15:32 | Update the security page to talk about the fact that parameter names must not contain special characters. check-in: 8cec7dcae8 user: drh tags: trunk | |
|
2018-03-28
| ||
| 20:25 | Update the built-in SQLite to the first 3.23.0 beta. check-in: 127706d944 user: drh tags: trunk | |
Changes
Changes to docs/security.md.
29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
disable this protection on a case-by-case basis.
3. Cookies, query parameters, and POST parameters are automatically
decoded before they reach application code. There is no risk
that the application program will forget a decoding step or
accidently miscode a decoding operation.
4. Reply text generated using the "wapp-subst" and "wapp-trim" commands
automatically escapes generated text so that it is safe for inclusion
within HTML, within a javascript or JSON string literal, as a URL,
or as the value of a query parameter. As long as the application
programmer is careful to always use "wapp-subst" and/or "wapp-trim"
to generate replies, there is little risk of injection attacks.
5. If the application is launched on a command-line with the --lint
option, then instead of running the application, Wapp scans the
application code looking for constructs that are unsafe. Unsafe
constructs include things such as using "wapp-subst" with an argument
that is not contained within {...}.
Part of what makes Wapp easy to use is that it helps free application
developers from the worry of accidently introducing security vulnerabilities
via programming errors. Of course, no framework is fool-proof. Developers
still must be aware of security. Wapp does not prevent every error, but
it does help make writing a secure application easier and less stressful.
|
> > > > > > | | |
29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
disable this protection on a case-by-case basis.
3. Cookies, query parameters, and POST parameters are automatically
decoded before they reach application code. There is no risk
that the application program will forget a decoding step or
accidently miscode a decoding operation.
4. Cookies, query parameters, and POST parameters are silently discarded
unless their names begin with a lower-case letter and contain only
alphanumerics, underscores, and minus-signs. Hence, there is not risk
that unusual parameter names can cause quoting problems or other
vulnerabilities.
5. Reply text generated using the "wapp-subst" and "wapp-trim" commands
automatically escapes generated text so that it is safe for inclusion
within HTML, within a javascript or JSON string literal, as a URL,
or as the value of a query parameter. As long as the application
programmer is careful to always use "wapp-subst" and/or "wapp-trim"
to generate replies, there is little risk of injection attacks.
6. If the application is launched on a command-line with the --lint
option, then instead of running the application, Wapp scans the
application code looking for constructs that are unsafe. Unsafe
constructs include things such as using "wapp-subst" with an argument
that is not contained within {...}.
Part of what makes Wapp easy to use is that it helps free application
developers from the worry of accidently introducing security vulnerabilities
via programming errors. Of course, no framework is fool-proof. Developers
still must be aware of security. Wapp does not prevent every error, but
it does help make writing a secure application easier and less stressful.
|