If you output strings with escapeHTML=false, you could have an issue. You may want to consider stripping all potential tags from strings prior to rendering, or at the time of entry.
-G On Jul 11, 2011, at 6:01 PM, Mai Nguyen wrote: > Hello, > I have found some good information about WebObjects and security at the > following wiki link: > > http://en.wikibooks.org/wiki/WebObjects/Web_Applications/Development/Authentication_and_Security > > However, there is no mention about SQL injections which seems to be an active > subject lately. Is WebObjects pretty safe, as there is no need to generate > SQL directly and access to the DB is going through the EOs normally? > Are there any other loopholes that I am not aware of? > About the following article: > http://support.apple.com/kb/TA26730?viewlocale=en_US > Would the normal WebObjects behavior be pretty safe if one does not allow the > user to enter HTML tags? Does Project Wonder do something in this area? > > Many thanks for your advice, > > -mai _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list ([email protected]) > Help/Unsubscribe/Update your Subscription: > http://lists.apple.com/mailman/options/webobjects-dev/george%40boxofficetickets.com > > This email sent to [email protected] _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
