uniphil
commented
3 years ago (low priority only because we have a nominal level of trust of vendors using this form)
Closed uniphil closed 3 years ago
uniphil
commented
3 years ago (low priority only because we have a nominal level of trust of vendors using this form)
user input is unsanitized before being displayed in any UI in some places, particularly form elements.
(database input, on the other hand, is all very carefully and thoroughly sanitized against SQL injection! 🙌🏼 woo!)
I suspect #1 may be related.
for CSRF, there's no protection. it's a pretty targeted attack, prob ok to try not to think about here