Thought I mailed it to the group, but replyed Ingo only instead...
I think this is indeed an important document. Definitly a sticky post
for the forums...
The examples are clear, but when targetting 'less security-focused
HTMLers', I think there could be a little more Why, When and What Else
If You Don't.. And maybe a short hotlist, which sums ups some 'Always
use this. not this...'
Like in Overriding default escaping in templates. When should I use
$Value.XML or $Value.ATT?
I read this as I should always use Convert::raw2xml() and
Convert::raw2att() . I would never browse the Convert class to search
for buildin security methods.
I think 'less security-focused HTMLers' and people who start to use
Silverstripe cause they need some Out-of-the-Box tool to create
websites, will look for methods within Silverstripe when questioning
security issues, instead of Googling secure PHP development (or maybe
just expect Silverstripe will deal with insecure methods by default).
Maybe it is an idea idea to completely ban plain $_REQUEST, $_POST and
$_GET functions, but offer a method to use build in getters that
provide escaping methods, like Joomla does with:
could be something like Security/Controller::getVar('get/request/post/
session', $value, 'cast', $exeption);
Shure an (int) casting will do the job in some cases, but a more
experienced developer, will know when it will be enough to cast a
request like this and people who are exploring Silverstripe's default
code for examples will always find getVar methods instead of plain
$_GET methods (maybe the Page.phph file is a good place to add some of
those methods for example, like the search method. ).
php_flag engine off
Options -ExecCGI -Includes -Indexes
Why is this not in the htaccess by default?
So far my first pennies. Hope it is constructive.
On 19 jan, 15:59, dalesaurus <dale.lis...@gmail.com> wrote: