Open SoniEx2 opened 8 years ago
Etiene
commented
8 years ago Where do you see XSS?
When I talk about SQL injection I mean the methods in the model module that escape the values passed before building the query to pass to the db module. (or not) (https://github.com/sailorproject/sailor/blob/master/src/sailor/model.lua#L203) (https://github.com/sailorproject/sailor/blob/master/src/sailor/model.lua#L258)
SoniEx2
commented
8 years ago Ah, I thought you meant user input being used as-is in the resulting HTML...
felipedaragon
commented
8 years ago Can this issue be closed? PS: you might want to open another because I heard Robotnik is back in the Emerald Hill :)
SoniEx2
commented
8 years ago @felipedaragon idk if you know this but putting an username in a webpage without escaping HTML elements = XSS, e.g. let's say the username is <script src="some_dangerous_script.js"></script> and you don't escape it, so now your page's HTML looks like Hello <script src="some_dangeours_script.js"></script>, and the browser runs the script.
Nothing in the README seems to indicate page:render() escapes those (and it shouldn't, because being able to dynamically select HTML content like that is useful, instead escaping should be done by the user).
felipedaragon
commented
8 years ago @SoniEx2 are you suggesting the creation of a special readme with basic secure coding tips for Sailor users? Some years ago I wrote an article about a dozens of similar scenarios, not just covering XSS but other potential issues: http://seclists.org/fulldisclosure/2014/May/128
SoniEx2
commented
8 years ago I'm suggesting the README should warn about XSS, as it's relevant to the given example.
felipedaragon
commented
8 years ago @SoniEx2 @Etiene here is an example of how another framework (Django) tackled this in their documentation: https://docs.djangoproject.com/en/1.9/topics/security/
This part of the README talks about SQL injection https://github.com/sailorproject/sailor/blob/master/README.md#creating-pages
but I only see XSS.