Injection and cross-site scripting
WebHare does a lot to prevent injections and XSS by design: HareScript's SQL integration isolates you from the raw database, the Witty template language has sane defaults to prevent most common cases of incorrect encoding. But, you still need to be aware of potential issues and avoid dangerous patterns:
Any use of INSERT, SELECT, UPDATE and DELETE as part of the HareScript language itself is safe as these expressions are automatically converted to parameterized SQL statements before being passed to the database.
However, if you try to directly interface with databases by sending raw statements, you will still need to take the proper precautions and use parameter or escaping if you accept external input. We recommend just using HareScript SQL wherever possible, and using %DynQuery if you need to build queries at runtime.
Do not generate file- or pathnames based on user input - use wrapped blob records (members/attributes of file/image type which store filenames inside the record) where possible, or generate names based on generic UUIDs or time-of-day.
You should especially avoid writing anything to the filesystem that was originally supplied by a user, as you would generally also lose transactional integrity and backup coverage.
Encoding in Witty
If you find yourself needing to specify an explicit encoding in witty (eg `[title:html]` or worse, `[data:none]`) doublecheck if there isn't a way to avoid it. Be especially careful when using the :url encoding - it's rarely the right thing to do. URLs should generally be constructed in HareScript, not directly in Witty.
The most common exception to this is the textarea, which generally needs a :value encoding for its content (ie: <textarea>[currentdata:value]</textarea>)
Encoding in HareScript
The text EncodeXXX functions (eg EncodeHTML, EncodeURL, EncodeValue) in HareScript are easy to confuse or forget. You can often avoid these:
- If you're building a URL, consider %UpdateURLVariables (and the other url.whlib functions)
- If you find yourself needing EncodeHTML or EncodeValue, consider using Witty
- Avoid generating HTML directly from HareScript. Again, consider a Witty template