The Movie Database Support

Travis;

This just tripped a SECURITY ALERT in my app during a movie scrape!

Record: 313022 Trailer Path: Path: http://www.youtube.com/watch?v=

Html code in a database record??? Not good.

Please comment.

Joe

3 replies (on page 1 of 1)

Jump to last post

Travis;

Sure enough! It executed in this post!

Hi Joe,

I don't believe there's any sanitization on the video field. I've created a new ticket for this here. It's very much related to ticket #887, so I'll do them both at the same time.

Uh .. just for the record. It is perfectly fine to have HTML or any other form of "code" or "markup" in the database. In fact - it should stay in that format.

It is YOUR job as a consumer to sanitize/encode values when presenting them, because only YOU know which format they should go in. (As an example, for HTML, there are different encodings depending on if you want some text in the body, attributes, javascript or css).

Mike

Can't find a movie or TV show? Login to create it.

Global

s focus the search bar
p open profile menu
esc close an open window
? open keyboard shortcut window

On media pages

b go back (or to parent when applicable)
e go to edit page

On TV season pages

(right arrow) go to next season
(left arrow) go to previous season

On TV episode pages

(right arrow) go to next episode
(left arrow) go to previous episode

On all image pages

a open add image window

On all edit pages

t open translation selector
ctrl+ s submit form

On discussion pages

n create new discussion
w toggle watching status
p toggle public/private
c toggle close/open
a open activity
r reply to discussion
l go to last reply
ctrl+ enter submit your message
(right arrow) next page
(left arrow) previous page

Want to rate or add this item to a list?

Login