Talk:Security for developers

From MediaWiki.org
Jump to navigation Jump to search

More cowbell[edit]

Should Sanitizer::escapeClass be mentioned in Security_for_developers#Cross-site_scripting or is it more of a table of examples rather than thorough list?

Also, per this and then later this and this, Uncyclopedia once found a half dozen parser tag extensions on Wikia allowed raw html injection. And this has happened more than once. It got to be routine that ever new parser tag would immediately get tested with <tag><script>alert('hi!')</script></tag>. Is this covered yet and/or is this type of accidental vulnerability not easily achieved anymore? So spaketh php agnostic: Splarka 17:48, 11 May 2009 (UTC)

Demonstrably secure example[edit]

It would be helpful if two code snippets were added--one that is demonstrably secure and one that is suspicious but both do the same thing. Right now, demonstrably secure is fuzzy in meaning. Phy1729 18:37, 17 October 2010 (UTC)

isset()[edit]

The manual(s) don't say anything clear about isset(). It's not uncommon to see people uploading patches using isset in a way that makes it impossible for them to get reviews, without them even understanding why. I've added Security checklist for developers#Any user input: no isset!, please improve. --Nemo 12:24, 31 July 2014 (UTC)

serialize()/unserialize()[edit]

This advice seems a bit simplistic, considering that JSON can't handle cases where you need to preserve actual PHP objects rather than just generic objects/arrays/scalars. Anomie (talk) 19:06, 26 October 2017 (UTC)