Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security features #145

Open
1 of 3 tasks
peter279k opened this issue Feb 27, 2019 · 5 comments
Open
1 of 3 tasks

Security features #145

peter279k opened this issue Feb 27, 2019 · 5 comments
Assignees
@lablnet
Labels
bug Something isn't working enhancement New feature or request Feature Request

Comments

@peter279k
Copy link
Member

peter279k commented Feb 27, 2019
edited by lablnet

As title, the security components is important to this framework.

According to the OWASP, we need to consider the following security issues:
@lablnet
Copy link
Member

lablnet commented Feb 27, 2019

About

and CSRF and Sql injections need to implemented

@lablnet lablnet added bug Something isn't working enhancement New feature or request Feature Request labels Feb 27, 2019
@lablnet lablnet self-assigned this Feb 27, 2019
@peter279k
Copy link
Member Author

peter279k commented Feb 27, 2019
edited

About

* XSS
  its already in input class you may see => https://github.com/zestframework/Zest_Framework/blob/master/src/Input/Input.php#L133

and CSRF and Sql injections need to implemented

@lablnet, thank you for your reply.

After tracing the code, it seems that using the htmlspecialchars to prevent the XSS attack.

Do you consider the htmlentities function?

Here is this function explanation:

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

The htmlentities is more powerful than htmlspecialchars because it can help us to specify the character encoding during entities convertion.

@peter279k
Copy link
Member Author

peter279k commented Feb 27, 2019
edited

Please look at this reference to know the OWASP Top 10 security issues.

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

@lablnet
Copy link
Member

lablnet commented Feb 27, 2019
edited

About

* XSS
  its already in input class you may see => https://github.com/zestframework/Zest_Framework/blob/master/src/Input/Input.php#L133

and CSRF and Sql injections need to implemented

@lablnet, thank you for your reply.

After tracing the code, it seems that using the htmlspecialchars to prevent the XSS attack.

Do you consider the htmlentities function?

Here is this function explanation:

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

The htmlentities is more powerful than htmlspecialchars because it can help us to specify the character encoding during entities convertion.

@peter279k thanks, yes you are right
5d6f25e
fixed

@lablnet
Copy link
Member

lablnet commented Feb 27, 2019

Please look at this reference to know the OWASP Top 10 security issues.

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

yes sure i will take a look here thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lablnet lablnet

Labels
bug Something isn't working enhancement New feature or request Feature Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peter279k @lablnet