Forum Discussion
Some important questions that will determine what you need to do:
1. Is the content on the external service trusted (e.g. do you have control of it)?
2. What is the format of that content?
3. How are you displaying that content within Lithium?
As a general rule, any content from an unverified or untrusted source should be sanitised before being included in the content of a page. Note that this includes anything that could be changed by the user, such as HTTP GET/POST parameters passed to the page.
The OWASP website is a really good source for information about web security, and has advice on how avoid vulnerabilities such as Cross Site Scripting (XSS).
FreeMarker has some directives for sanitising strings for display, such as ?html - http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_html
Related Content
- 4 years ago
- 10 years ago