Data validation / xss

Data validation / xss

nskwortsownskwortsow Posts: 120Questions: 0Answers: 0
edited October 2012 in Editor
Hi,
Does Editor clean (e.g. mysql_escape(); or intval();) data before executing a SQL query with user-submitted values, to prevent XSS-attacks?
Where can I find this in the documentation?
Thanks,
Nate

Replies

  • allanallan Posts: 63,534Questions: 1Answers: 10,475 Site admin
    edited October 2012
    Hi Nate,

    The PHP implementation that Editor comes with using PDO exclusively for the database connection (the driver architecture means that the old mysql_* functions of PHP or any other non-PDO method could be used, but they are not at this time). `bindValue` is the PDO method used ( http://php.net/manual/en/pdostatement.bindvalue.php ) for ensuring values are added to the database safely (see the 'Query.php' file in the database drivers directory in Editor).

    Also Editor very specifically does not simply echo back any values that were sent to the server - a prime vector for scripting attacks.

    In summary, I'm not aware of any security issues at this time. Having said that like all software, its virtually impossible to guarantee it is risk free and if any issues are found, we'll fix them as a priority, but we've certainly had security in mind while writing it!

    Allan
This discussion has been closed.