On Tue, Jun 9, 2009 at 11:39 PM, marius d. <[email protected]> wrote:
> > Hi, > > For most apps cannonicalization is not really necessary as the > character stream for form-url-encoded is UTF-8 by default as Lift uses > UTF-8 by default. Oh and the conversion from URL encoding to plain > UTF-8 content is really done by container and when we get the params > from the request object they are already well formed. Now if we're > talking about a higher level of validation that's a different story > and IMO this is an application aspect and not much a framework one. And Lift does URL Decoding of the paths before presenting them as the Req() object. More broadly, Lift should provide all the features of ESAPI out of the box. If there are particular things that ESAPI offers that Lift doesn't, please flag them and we'll add them. I did a bunch of years as VPE and CTO at a web app security company. In general, I've worked to make sure that Lift has security baked in and that the developer has to work to make the app insecure, rather than vice versa. If I missed a spot, Lift will be enhanced to make sure it does have security baked in. > > > Br's, > Marius > > On Jun 10, 5:43 am, Oliver Lambert <[email protected]> wrote: > > Looks like I might have a requirement for implementing OWASP secure > coding > > practices, as described by > > > > > One thing that I definitively don't do and I believe Lift doesn't do out > of > > the box is Canonicalize input > > before validation/filtering. I was looking into using OWASP > > ESAPI<http://www.owasp.org/index.php/ESAPI>but I'm put off by it's use > > of > > property files and system resources. Do any of you Canonicalize input, > if > > so, do you use a Library? Does Lift > > need this feature, or any of the others described in the above document? > > > > cheers > > Oliver > > > -- Lift, the simply functional web framework http://liftweb.net Beginning Scala http://www.apress.com/book/view/1430219890 Follow me: http://twitter.com/dpp Git some: http://github.com/dpp --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/liftweb?hl=en -~----------~----~----~----~------~----~------~--~---
