[Pkg-owncloud-commits] [owncloud-doc] 42/43: add hint about xss security

David Prévot taffit at alioth.debian.org
Tue Aug 20 11:56:14 UTC 2013 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch dfsg_clean
in repository owncloud-doc.

commit 74adec1c95578f70fb83ac565c5ee4da289d5b9c
Author: Bernhard Posselt <nukeawhale at gmail.com>
Date:   Sat Aug 17 12:52:11 2013 +0200

    add hint about xss security
---
 developer_manual/app/general/security.rst |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/developer_manual/app/general/security.rst b/developer_manual/app/general/security.rst
index 5c8be8f..457dee9 100644
--- a/developer_manual/app/general/security.rst
+++ b/developer_manual/app/general/security.rst
@@ -11,7 +11,7 @@ This guideline highlights some of the most common security problems and how to p
 
 SQL Injection
 -------------
-`SQL Injection <http://en.wikipedia.org/wiki/SQL_injection>`_ occurs when SQL query strings are concatenated with variables. 
+`SQL Injection <http://en.wikipedia.org/wiki/SQL_injection>`_ occurs when SQL query strings are concatenated with variables.
 
 To prevent this, always use prepared queries:
 
@@ -22,7 +22,7 @@ To prevent this, always use prepared queries:
   $query = \OCP\DB::prepare($sql);
   $params = array(1);
   $result = $query->execute($params);
-  
+
 If the App Framework is used, write SQL queries like this in the a class that extends the Mapper:
 
 .. code-block:: php
@@ -58,7 +58,12 @@ An attacker might now easily send the user a link to::
 
 to overtake the user account. The same problem occurs when outputting content from the database or any other location that is writeable by users.
 
-To prevent XSS in your app, **never use echo, print() or <\%=** - use **p()** instead which will sanitize the input.
+Another attack vector that is often overlooked is XSS in **href** attributes. HTML allows to execute javascript in href attributes like this::
+
+    <a href="javascript:alert('xss')">
+
+
+To prevent XSS in your app, **never use echo, print() or <\%=** - use **p()** instead which will sanitize the input. Also **validate urls to start with the expected protocol** (starts with http for instance)!
 
 .. note:: Should you ever require to print something unescaped, double check if it is really needed. If there is no other way (e.g. when including of subtemplates) use `print_unescaped`  with care.
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud-doc.git

More information about the Pkg-owncloud-commits mailing list