[cl-weblocks-ticket] Re: #34: Escape HTML outputted by 'render-data' to prevent XSS attacks
cl-weblocks
cl-weblocks-devel at common-lisp.net
Fri Aug 3 05:52:11 UTC 2007
#34: Escape HTML outputted by 'render-data' to prevent XSS attacks
-------------------------+--------------------------------------------------
Reporter: sakhmechet | Owner: sakhmechet
Type: defect | Status: new
Priority: medium | Milestone: 0.1
Component: weblocks | Version: pre-0.1
Resolution: | Keywords: cross-site scripting SQL injection sanitize
-------------------------+--------------------------------------------------
Changes (by sakhmechet):
* summary: Sanitize input to prevent cross-site scripting and SQL
injection => Escape HTML outputted by 'render-
data' to prevent XSS attacks
Comment:
The goals of this ticket are too broad and ill defined. SQL injection is
an unrelated issue and input sanitation depends on the type of data. For
now we should change the goal to escaping HTML outputted by 'render-data'
since all widgets [should] use it for rendering.
--
Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/34>
cl-weblocks <http://common-lisp.net/project/cl-weblocks>
cl-weblocks
More information about the Cl-weblocks-ticket
mailing list