Hi George, On 20/04/2010 22:33, georgex wrote: > > How well does a typical Click webapp hold against the following 10 security > risks? > http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
I'm not aware of any effort to make Click apps secure against the OWASP top 10 (interesting effort), so if your application is publicly hosted and contains sensitive data, make sure you understand security well or find a security expert to help out. That said: A1(injection): shouldn't be a problem with ORM's or PreparedStatements A2(XSS): Click controls escape their values at rendering time, however Velocity variables are *not* escaped by default so if you reference untrusted code through a Velocity variable make sure you escape it e.g: $format.escape(customer.description) The rest of the list seems quite application specific and won't be handled by Click automatically. kind regards bob
