MCrawleyHomeOffice
commented
2 years ago Were you able to test this on a service?
Yes, it was tested on firearms and NRM using the acceptance tests.
Closed MCrawleyHomeOffice closed 2 years ago
MCrawleyHomeOffice
commented
2 years ago Were you able to test this on a service?
Yes, it was tested on firearms and NRM using the acceptance tests.
What? In order to move away from using naxsi rules we need to sanitise the user input before saving it to session
Why? Naxsi is a sledgehammer which we've had to disable many rules so our users don't get problems. Instead we're going to add new sanitisation rules that will manipulate the user input if they enter something we don't like to avoid possible SQL injection and other attacks.
How? Added a new middleware in the base-controller called _sanitization() which will loop our user inputs and modify them accrdingly.
Testing? Unit tests and linting tests.
Screenshots (optional) N/A
Anything Else? Rules for what we have agreed to do for each unwanted string are detailed on the original ticket - HOF-25.