There are two types of injections attacks and they are mixed up in
this thread.
- SQL Injection. DAL prevents those. Period. (unless you are on old
version of postgresql)
- XSS Injections. {{=anything}} prevents those.
Caveats about XSS. If you use a WYSIWYG/HTML editor you are forced to
do {{=X
Y
On Jun 18, 1:51 pm, Anthony wrote:
> Unless you're writing you're own raw SQL, I think the DAL is supposed to
> protect against SQL injection attacks. And if you're returning code to any
> views, the template engine should escape it properly before rendering. Have
> you successfully executed an
Unless you're writing you're own raw SQL, I think the DAL is supposed to
protect against SQL injection attacks. And if you're returning code to any
views, the template engine should escape it properly before rendering. Have
you successfully executed an actual attack?
On Saturday, June 18, 2011
3 matches
Mail list logo
