Forum Discussion

Adept

9 years ago

LiQL injection attacks and quotes in Rest API 2.0

I am sorry if this subject has already been covered, but I have searched forums, knowledge bases and Google for any answers and have come up empty handed. I am wondering how LiQL is protected aga...

FaisalK

Lithium Alumni (Retired)

I agree in principle, however, this is no different than coding in Java or JS or any other language. Incorporating untrusted user input is never a good idea. And like many of those other languages, it's left up to the developer, freemarker in this case, to incorporate the security best practices (?html, js_string, etc).

This type of customization is not considered a user level task, it should only be attempted by a trained and knowledgeable person like yourself.

hattesen

Adept

9 years ago

When coding Java against a database, you use prepared statements with parameters for this very reason.

Lithium developers should not be expected to foresee injection attacks and manually escaping strings. At the very least, a "best practice" should be established, and recommendations should be made for using ?ja_string, or whatever is deemed best for escaping quotes and double quotes.

Forum Discussion

LiQL injection attacks and quotes in Rest API 2.0

Related Content

Injecting a Js code after page load

Aurora: About the "Boards" set of permissions

Aurora: About the "Categories" set of permissions

Way to distinguish "sender" vs "receiver" in threaded private messages (version 3.1)

Search on the API using "first name"

Recent Discussions

How to fetch all labels associated with TkbArticlePage and count how many times each label is used

In Aurora, add additional <script> and <meta> tags

Setup content filter for arabic language

24.10 API change breaks navigation

How to create/subscribe the Webhook in Aurora