View · Index

Security Guidelines

The maintained OpenACS packages are regularly tested with state-of-the-art web vulnerability scanners. The packages are developed using the following the guidelines.
 

Protecting against SQL injection (SQI):

 

  • Use colon-prefixed bind variables in SQL statements when possible (for local variables)
    # use bindvars with local variables
    set x 0
    db_0or1row . {select * from acs_objects where object_id = :x}
    
    or pass bind variables explicitly, using the -bind option
    # use bind variables by passing a dictionary (attribute value list)
    set bindvars {object_id 0 security_inherit_p t}
    db_0or1row . {
       select * from acs_objects 
       where object_id = :object_id
       and security_inherit_p = :security_inherit_p
    } -bind $bindvars
    
  • In case, bind-variables are not possible, use ns_dbquotevalue or ns_dbquotelist (see NaviServer documentation)
     set x 0
     db_0or1row . [subst {select * from acs_objects where object_id = [ns_dbquotevalue $x]}] 
    
    Manual page
  • In general, avoid using double-quoted SQL statements whenever possible to avoid unescaped substitutions.
     

Protecting against cross side scripting (XSS):

 

  • Validate all input values using page contracts with value checkers, and validate all form variables in the form specification.
  • Make sure that Content Security Policies (CSP) are activated in the package parameters. When you have to relax the CSP roles, use "security::csp::require" as local as possible (e.g. on the page level) and not on the site level.
previous December 2024
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31 1 2 3 4

Popular tags

17 , 5.10 , 5.10.0 , 5.10.1 , 5.9.0 , 5.9.1 , ad_form , ADP , ajax , aolserver , asynchronous , bgdelivery , bootstrap , bugtracker , CentOS , COMET , compatibility , CSP , CSRF , cvs , debian , docker , docker-compose , emacs , engineering-standards , exec , fedora , FreeBSD , guidelines , host-node-map
1 registered user in community xowiki
in last 30 minutes
Contributors

OpenACS.org