Forum Discussion
hattesen
Adept
But there needs to be a generic and SAFE way to avoid attacks and syntax errors, regardless of WHERE term content.
I would imagine, that the String builtin jsString might do the job...
<#assign replies = rest("2.0","/search?q=" + "SELECT id, body FROM messages WHERE topic.tag = '${topic_tag?js_string}' AND depth > 0"?url).data.items />
See http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_js_string
However, this is a serious security and stability problem that needs a "best practice" to be defined by the Lithium developers. Believing that something MIGHT be safe, just isn't acceptable in this sort of situation.
I would imagine, that the String builtin jsString might do the job...
<#assign replies = rest("2.0","/search?q=" + "SELECT id, body FROM messages WHERE topic.tag = '${topic_tag?js_string}' AND depth > 0"?url).data.items />
See http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_js_string
However, this is a serious security and stability problem that needs a "best practice" to be defined by the Lithium developers. Believing that something MIGHT be safe, just isn't acceptable in this sort of situation.
FaisalK
9 years agoLithium Alumni (Retired)
I agree in principle, however, this is no different than coding in Java or JS or any other language. Incorporating untrusted user input is never a good idea. And like many of those other languages, it's left up to the developer, freemarker in this case, to incorporate the security best practices (?html, js_string, etc).
This type of customization is not considered a user level task, it should only be attempted by a trained and knowledgeable person like yourself.