andreashappe
commented
5 months ago external to what exactly? I think, we mean the same thing: anything that is used as input that might be altered by an attacker must not be trusted at all.
When we change it to "external data" I fear that use-cases such as injection attacks in backup data might fall through, as backups are not external data.
Maybe we should first define what we mean with 'user data' or 'external data', e.g., anything that can be access or altered by an attacker (potentially including network traffic, backup data, files on disk, etc.). Don't trust this external data.
If you want to, a commit do document that would be highly appreciated. Thanks, Andreas
katyanton
Under the heading 'Prevent malicious data from entering the system' it states to 'Never trust user-provided data!' however I would recommend to widen this statement to never trust external data.
Additionally under 'Client side and Server side Validation' I would mention that the benefit of using both client AND server side validation is that a server-side validation warning can inform operations of a potential hacker as the client-side validation had been bypassed.