On Mon, Sep 2, 2013 at 6:25 AM, abp <abp...@gmail.com> wrote: > clojars uses https://github.com/ato/**clojars-web/blob/master/src/** >> clojars/web/safe_hiccup.clj<https://github.com/ato/clojars-web/blob/master/src/clojars/web/safe_hiccup.clj> >> >> which automatically escapes. > > > But that double escapes attribute values if you don't put them in > raw-calls. > > Yes, it double escapes attributes. In addition, doctype helpers like `html5` might need to be redefined to use a `(raw ...)` for some parts. There might be other functions where a `(raw ...)` is needed. The changes in that file have proven sufficient for clojars, and I much prefer the escape by default semantics, but more work might be needed for others.
Additionally, CSRF protection can happen with ring-anti-forgery. The clojars source link above includes a `form-to` function that is a replacement for hiccup's `form-to` that adds the token on any non-get/non-head forms. It does require adding anti-forgery to the middleware stack. ---- Several of Yesod's responses to other items on the list are humorous in there vagueness, but in my experience for clojure: 1.Injection: Done by JDBC's prepared statements, and clojure.jdbc's use of them 2. XSS injection: Depends on templating. Hiccup requires explicit `(h ..)` calls. laser is escape by default. I am unsure about enlive, clabango, or others. 3. Authentication & Session Management: I've used friend for authentication, and bcrypt for encryption. lib-noir has some functions that use bcrypt, but I've not used it. Session management can be specified by the :store given to wrap-session, and defaults to a in memory store. A cookie store also exists that provides some protection against cookie mutation. Immutant provides a store that can work across a cluster. 4. Insecure Reference: There is not a standard ORM or similar, so handling only the correct parameters is up to you. 5. CSRF: ring-anti-forgery provides a way to add CSRF prevention tokens 6. Security Misconfiguration: This seems to be the domain of chef, pallet, puppet, capistrano or another deployment tool. I'm not sure I want my libraries to mess with deployments. 7. Insecure Cryptographic Storage: Use bcrypt. See 3. 8. Failure to Restrict URL access: I've used friend for authorization. 9. Insufficient Transport Layer Protection: I'd recommend letting your front end server handle this and redirect to https. I believe lib-noir has a middleware that will redirect from http to https if needed. Consider passing `:secure true` to `wrap-cookies` if you have an https only site. 10. Unvalidated Redirects and Forwards: Url generation is a weakspot in a compojure based setup. For comparison, pedestal-service wrote its own routing dsl and stores the routes in a way that allows url generation based on the context passed in. I believe the use of many small libraries is what causes the lack of a single spot for this documentation. I've picked up most of what I described above by knowing the authors / what to google / asking + watching irc. That does seem like an unfortunate situation for anyone new to have to learn. - Nelson Morris -- -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
