Open alexbor opened 8 years ago
This may be hard to do with a modular system but I suppose one solution would be putting parameters into the iris.route system options object. You could do things like type checking, stripping of certain values and all sorts there so you wouldn't actually need a validation block at the top of each POST/GET route. This could be a very useful system in itself. That options object in iris.route
seems a perfect place for this.
Or is there general stuff we should always be stripping out in core no matter what? Do we have any particular cases? We're not doing anything like eval, the closest being the entity fetch system which is quite strict as to what it supports already. I wouldn't be surprised if there are risks but I'm not really sure where to start on them. Any pointers?
OWASP top ten? https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
Is this something that's been thought of yet? Maybe sanitising all query and params on the way in. May need discussion