Security/Reference/Security for libraries

From MediaWiki.org
Jump to navigation Jump to search

It's often useful to use other libraries in MediaWiki to perform common functions. When choosing a library, you should make sure the library doesn't violate any of the common issues on Security for developers or any of the CWE top 25 errors. Take special care with executable demo / example code intended to demonstrate the libraries use. Additionally, the library must use an appropriate open source license.

The library should also make it difficult for other developers to misuse. Some common issues seen include,

  • Echoing or throwing an exception on error that contains un-sanitized input parameters
  • Not documenting when an input parameter is expected to be sanitized, and used without sanitization
  • Exposing debug or testing implementations (e.g., a logging implementation that logs messages to stdout)
  • Requiring an extra parameter or method call to escape the output, instead of escaping by default