Forum Discussion
hattesen
Adept
But there needs to be a generic and SAFE way to avoid attacks and syntax errors, regardless of WHERE term content.
I would imagine, that the String builtin jsString might do the job...
<#assign replies = rest("2.0","/search?q=" + "SELECT id, body FROM messages WHERE topic.tag = '${topic_tag?js_string}' AND depth > 0"?url).data.items />
See http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_js_string
However, this is a serious security and stability problem that needs a "best practice" to be defined by the Lithium developers. Believing that something MIGHT be safe, just isn't acceptable in this sort of situation.
I would imagine, that the String builtin jsString might do the job...
<#assign replies = rest("2.0","/search?q=" + "SELECT id, body FROM messages WHERE topic.tag = '${topic_tag?js_string}' AND depth > 0"?url).data.items />
See http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_js_string
However, this is a serious security and stability problem that needs a "best practice" to be defined by the Lithium developers. Believing that something MIGHT be safe, just isn't acceptable in this sort of situation.
FaisalK
9 years agoLithium Alumni (Retired)
I agree in principle, however, this is no different than coding in Java or JS or any other language. Incorporating untrusted user input is never a good idea. And like many of those other languages, it's left up to the developer, freemarker in this case, to incorporate the security best practices (?html, js_string, etc).
This type of customization is not considered a user level task, it should only be attempted by a trained and knowledgeable person like yourself.
- hattesen9 years agoAdeptWhen coding Java against a database, you use prepared statements with parameters for this very reason.
Lithium developers should not be expected to foresee injection attacks and manually escaping strings. At the very least, a "best practice" should be established, and recommendations should be made for using ?ja_string, or whatever is deemed best for escaping quotes and double quotes.
Related Content
- 2 years ago
- 10 years ago