Software Security/Group 1/Verdict
Uit Werkplaats
< Software Security | Group 1
Verdict on the security requirements
V6 - Output Encoding/Escaping Verification Requirements
Verification requirement | Verdict | Motivation | |
---|---|---|---|
V6.1 | Verify that all untrusted data that are output to HTML (including HTML elements, HTML attributes, javascript data values, CSS blocks, and URI attributes) are properly escaped for the applicable context. | Fail | We have identified places in the code where insufficient escaping is performed. See Avatar URLs |
V6.2 | Verify that all output encoding/escaping controls are implemented on the server side. | Fail | We have identified one place where phpBB relies on client-side restrictions to enforce input validity. See Email manipulation.
?? Erik: it is not clear to me why this is client-side |
V6.3 | Verify that output encoding /escaping controls encode all characters not known to be safe for the intended interpreter. | Fail | We have identified places in the code where insufficient escaping is performed. See Avatar URLs
??Erik:but isn't this a case of missing escaping (ie. V6.1) rather than not escaping all characters?? |
V6.4 | Verify that all untrusted data that is output to SQL interpreters use parameterized interfaces, prepared statements, or are escaped properly. | N/A | (This is the focus of Group 2.)
|
V6.5 | Verify that all untrusted data that are output to XML use parameterized interfaces or are escaped properly. | N/A | There is no XML output. |
V6.6 | Verify that all untrusted data that are used in LDAP queries are escaped properly. | N/A | There are no LDAP queries.
|
V6.7 | Verify that all untrusted data that are included in operating system command parameters are escaped properly. | N/A | We have searched the code for uses of any PHP functions commonly used to invoke operating system commands, but found none. |
V6.8 | Verify that all untrusted data that are output to any interpreters not specifically listed above are escaped properly. | N/A |
There are no other interpreters. |