Travis;
This just tripped a SECURITY ALERT in my app during a movie scrape!
Record: 313022 Trailer Path: Path: http://www.youtube.com/watch?v=
Html code in a database record??? Not good.
Please comment.
Joe
Un film, une émission télévisée ou un artiste est introuvable ? Connectez-vous afin de créer une nouvelle fiche.
Vous souhaitez évaluer ou ajouter cet élément à une liste ?
Pas encore membre ?
Réponse de Joe Rose
le 8 juin 2015 à 21h32
Travis;
Sure enough! It executed in this post!
Réponse de Travis Bell
le 8 juin 2015 à 23h29
Hi Joe,
I don't believe there's any sanitization on the video field. I've created a new ticket for this here. It's very much related to ticket #887, so I'll do them both at the same time.
Réponse de LordMike
le 15 juin 2015 à 17h04
Uh .. just for the record. It is perfectly fine to have HTML or any other form of "code" or "markup" in the database. In fact - it should stay in that format.
It is YOUR job as a consumer to sanitize/encode values when presenting them, because only YOU know which format they should go in. (As an example, for HTML, there are different encodings depending on if you want some text in the body, attributes, javascript or css).
Mike