[cl-weblocks-ticket] Re: #34: Escape HTML outputted by 'render-data' to prevent XSS attacks

cl-weblocks cl-weblocks-devel at common-lisp.net
Fri Aug 3 05:52:11 UTC 2007


#34: Escape HTML outputted by 'render-data' to prevent XSS attacks
-------------------------+--------------------------------------------------
  Reporter:  sakhmechet  |       Owner:  sakhmechet                                 
      Type:  defect      |      Status:  new                                        
  Priority:  medium      |   Milestone:  0.1                                        
 Component:  weblocks    |     Version:  pre-0.1                                    
Resolution:              |    Keywords:  cross-site scripting SQL injection sanitize
-------------------------+--------------------------------------------------
Changes (by sakhmechet):

  * summary:  Sanitize input to prevent cross-site scripting and SQL
              injection => Escape HTML outputted by 'render-
              data' to prevent XSS attacks

Comment:

 The goals of this ticket are too broad and ill defined. SQL injection is
 an unrelated issue and input sanitation depends on the type of data. For
 now we should change the goal to escaping HTML outputted by 'render-data'
 since all widgets [should] use it for rendering.

-- 
Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/34>
cl-weblocks <http://common-lisp.net/project/cl-weblocks>
cl-weblocks


More information about the Cl-weblocks-ticket mailing list