[Seaside-dev] Seaside and CSRF attacks
Johan Brichau
johan at inceptive.be
Thu Aug 23 08:36:35 UTC 2018
> On 23 Aug 2018, at 08:46, Johan Brichau <johan at inceptive.be> wrote:
>
> Seaside does help the developer a little to prevent CSRF attacks: all output is encoded per standard. If you store user input and render that directly on your page, you do not have to care if a user would enter malicious scripts to make a CSRF attack. Per default, standard Seaside rendering will encode the output to html text. There is one place in Seaside where this is not done: rendering of title attributes (ssshhhht!! :-). Still want to fix this… but it’s rather annoying in the current code as far as I remember.
oups, I was reading ‘cross-site-scripting-attack’ instead of ‘cross-site-request-forgery’…
But that’s part of Seaside security as well :)
Johan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/seaside-dev/attachments/20180823/8cd9941b/attachment.html>
More information about the seaside-dev
mailing list