Wapp

Check-in [f32ee075ea]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix typo in the security.md page.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:f32ee075ea835de9b06337cc6f8e5fd9dab2cd358e91562154d7de90aad34b01
User & Date: drh 2018-03-30 11:19:37
Context
2018-03-30
12:23
Use site-absolute URLs on the README.md file. check-in: c555d600c0 user: drh tags: trunk
11:19
Fix typo in the security.md page. check-in: f32ee075ea user: drh tags: trunk
2018-03-29
15:32
Update the security page to talk about the fact that parameter names must not contain special characters. check-in: 8cec7dcae8 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to docs/security.md.

31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
  3.  Cookies, query parameters, and POST parameters are automatically
      decoded before they reach application code. There is no risk
      that the application program will forget a decoding step or
      accidently miscode a decoding operation.

  4.  Cookies, query parameters, and POST parameters are silently discarded
      unless their names begin with a lower-case letter and contain only
      alphanumerics, underscores, and minus-signs.  Hence, there is not risk
      that unusual parameter names can cause quoting problems or other
      vulnerabilities.

  5.  Reply text generated using the "wapp-subst" and "wapp-trim" commands
      automatically escapes generated text so that it is safe for inclusion
      within HTML, within a javascript or JSON string literal, as a URL,
      or as the value of a query parameter. As long as the application







|







31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
  3.  Cookies, query parameters, and POST parameters are automatically
      decoded before they reach application code. There is no risk
      that the application program will forget a decoding step or
      accidently miscode a decoding operation.

  4.  Cookies, query parameters, and POST parameters are silently discarded
      unless their names begin with a lower-case letter and contain only
      alphanumerics, underscores, and minus-signs.  Hence, there is no risk
      that unusual parameter names can cause quoting problems or other
      vulnerabilities.

  5.  Reply text generated using the "wapp-subst" and "wapp-trim" commands
      automatically escapes generated text so that it is safe for inclusion
      within HTML, within a javascript or JSON string literal, as a URL,
      or as the value of a query parameter. As long as the application