پشتیبانی پایگاه داده فیلم
پشتیبانی → پشتیبانی API
SECURITY ISSUE!
ارسال شده توسط Joe RoseSTAFFMOD در تاریخ ژوئن 8, 2015 ساعت 9:29 ب.ض
Travis;
This just tripped a SECURITY ALERT in my app during a movie scrape!
Record: 313022 Trailer Path: Path: http://www.youtube.com/watch?v=
Html code in a database record??? Not good.
Please comment.
Joe
پاسخ توسط Joe Rose
در تاریخ ژوئن 8, 2015 ساعت 9:32 ب.ض
Travis;
Sure enough! It executed in this post!
پاسخ توسط Travis Bell
در تاریخ ژوئن 8, 2015 ساعت 11:29 ب.ض
Hi Joe,
I don't believe there's any sanitization on the video field. I've created a new ticket for this here. It's very much related to ticket #887, so I'll do them both at the same time.
پاسخ توسط LordMike
در تاریخ ژوئن 15, 2015 ساعت 5:04 ب.ض
Uh .. just for the record. It is perfectly fine to have HTML or any other form of "code" or "markup" in the database. In fact - it should stay in that format.
It is YOUR job as a consumer to sanitize/encode values when presenting them, because only YOU know which format they should go in. (As an example, for HTML, there are different encodings depending on if you want some text in the body, attributes, javascript or css).
Mike