There are two types of injections attacks and they are mixed up in
this thread.
- SQL Injection. DAL prevents those. Period. (unless you are on old
version of postgresql)
- XSS Injections. {{=anything}} prevents those.
Caveats about XSS. If you use a WYSIWYG/HTML editor you are forced to
do {{=XML(...)}}, i.e. prevent the escaping. So in general WYSIWYG/
HTML editors tend to introduce XSS vulnerabilities. The best you can
do is {{=XML(...,sanitize=True) which does prevent the XSS again but
may great some WYSIWYG/HTML editors.
That is why it is much better to use WIKI syntax instead of WYSIWYG/
HTML.
I have seen a lot of vendors selling CMS systems and claiming the
ability to cut and paste <embed>...</embed> objects (for example embed
youtube videos). This "feature" is an XSS vulnerability. You cannot
have both.
Massimo
On Jun 18, 1:27 pm, weheh <richard_gor...@verizon.net> wrote:
> .
