Skip to content
This repository has been archived by the owner on Jul 31, 2019. It is now read-only.

encodeURIComponent on the "Getting started" page #141

Closed
mik01aj opened this issue Feb 5, 2015 · 2 comments
Closed

encodeURIComponent on the "Getting started" page #141

mik01aj opened this issue Feb 5, 2015 · 2 comments
Assignees
@nlf
Labels
question

Comments

@mik01aj
Copy link

mik01aj commented Feb 5, 2015

Quoted from http://hapijs.com/tutorials:

handler: function (request, reply) {
    reply('Hello, ' + encodeURIComponent(request.params.name) + '!');
}

Note that we URI encode the name parameter, this is to prevent content injection attacks. Remember, it's never a good idea to render user provided data without output encoding it first!

While I agree that rendering user provided data is often a risk, I have big doubts whether the presented method it is really a good idea. It means garbling possibly valid user input such as John "Johnny" Doe or Владимирь. Shouldn't Content-Type: application/json be enough to guard against HTML/JS injection?
@nlf nlf added the question label Mar 12, 2015
@nlf nlf self-assigned this Mar 12, 2015
@nlf
Copy link
Contributor

nlf commented Mar 12, 2015

The point of the comment wasn't to showcase a perfect method of encoding, but rather to make sure that users are aware that directly rendering user provided data is a bad idea. encodeURIComponent is the simplest, most basic method of encoding such data to protect the user so that's what I used as an example. Eventually there will be a security tutorial (see #44) where we can go in to more detail about this topic.

@nlf nlf closed this as completed Mar 12, 2015
@binarymist
Copy link

Loving it, devs that think about security :P

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@nlf nlf

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nlf @binarymist @mik01aj