Search the Community
Showing results for tags 'xss'.
Found 2 results
-
Some interesting reads for those interested in security: Well it should be mandatory for every webdev to know these thing or at least care about. Hack yourself first - how to go on the offence before online attackers do http://www.troyhunt.com/2013/05/hack-yourself-first-how-to-go-on.html Feel free to discuss or post other articles about the subject.
-
Hello all, Once again, just want to comment on how good I truly believe PW to be. I do have a few questions about security though - more specifically about the systems way of handling XSS. I've not really found anything on PW's security practices and exploit prevention precautions. Is page content filtered client side on submit? I noticed disabling javascript on the admin pages meant that script tags could make it thorough. What is the practice for cleaning harmful code on output? I've noticed there's a sanitizer API. Is there a way to enable the sanitizer for all fields by default, so I don't have to keep calling it in the templates for every field? Is it safe to assume that input on fields are automatically escaped to prevent SQL injection? Are admin functions protected from CSRF attacks? I am aware of the HTMLPurifer plugin but this appears to be an optional plugin. Finally, a quick question about performance. I've enabled debugging and found that there are 47 queries running on an (admin) page load. Is this going to cause problems for upwards scaling in the future? If these questions have been answered elsewhere, please point in the direction of the answers. Cheers and thanks again. Edit: I can't find any reference of XSS cleaning functionality at all. Not even the sanitizer seems to have this functionality. Is everything really done on the client by TinyMCE? Looks like the sanitizer class does indeed have some cleaning functionality.
