Re: WebObjects vulnerabilities?
Re: WebObjects vulnerabilities?
- Subject: Re: WebObjects vulnerabilities?
- From: George Domurot <email@hidden>
- Date: Mon, 11 Jul 2011 18:36:29 -0700
If you output strings with escapeHTML=false, you could have an issue.
You may want to consider stripping all potential tags from strings prior to rendering, or at the time of entry.
-G
On Jul 11, 2011, at 6:01 PM, Mai Nguyen wrote:
> Hello,
> I have found some good information about WebObjects and security at the following wiki link:
>
> http://en.wikibooks.org/wiki/WebObjects/Web_Applications/Development/Authentication_and_Security
>
> However, there is no mention about SQL injections which seems to be an active subject lately. Is WebObjects pretty safe, as there is no need to generate SQL directly and access to the DB is going through the EOs normally?
> Are there any other loopholes that I am not aware of?
> About the following article:
> http://support.apple.com/kb/TA26730?viewlocale=en_US
> Would the normal WebObjects behavior be pretty safe if one does not allow the user to enter HTML tags? Does Project Wonder do something in this area?
>
> Many thanks for your advice,
>
> -mai _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden