godigi
commented
5 years ago It's not the job of a database wrapper to handle this. In your application, you should focus on sanitizing input and escaping the output yourself.
Closed siteantipas closed 5 years ago
godigi
commented
5 years ago It's not the job of a database wrapper to handle this. In your application, you should focus on sanitizing input and escaping the output yourself.
skylarmt
commented
5 years ago What if I wanted to store JavaScript in a database? I wouldn't want it to come out mangled.
catfan
commented
5 years ago The prevention of XSS injection or filtering other unexpected data is up to the project itself, not the framework.
You may check out and convert the user input before inserting into database, or filter it before outputting to client.
siteantipas
commented
5 years ago Okay, that's true. I understand now.
On Sat, 30 Mar 2019 at 06:56, Catfan notifications@github.com wrote:
The prevention of XSS injection or filtering other unexpected data is up to the project itself, not the framework.
You may check out and convert the user input before inserting into database, or filter it before outputting to client.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/catfan/Medoo/issues/827#issuecomment-478210952, or mute the thread https://github.com/notifications/unsubscribe-auth/AXcero882d5WH3bobvwSbg1anCay05Pwks5vbvySgaJpZM4cBwxi .
Bug Description Security flaw
Information -
$db->insert()I noticed JavaScript can be inserted and executed when printed out. Which means Medoo does not use
htmlentities()function to prevent against such.