Task #31672
Determine topics for chapter "Guidelines for Extension Developers"
| Status: | Accepted | Start date: | 2011-11-08 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assignee: | Michael Schams | % Done: | 0% |
|
| Category: | - | |||
| Target version: | 1.1.0 | |||
| Votes: | 0 |
Description
Determine topics for chapter "Guidelines for Extension Developers".
History
Updated by Michael Schams over 1 year ago
I make a start:
- explain process how to report a security issue in own extension to the Security Team
- highlight that a fix for a security issue should be the only change in a release
- explain the policy of "least disclosure" (used by the Security Team)
- list/summarize typical security vulnerabilities in PHP code (see CWE/SANS Most Dangerous Software Errors)
- describe how to prevent these errors (maybe show code examples?)
- explain which typical TYPO3 API functions should be used (?)
- [...]
I would be more than happy if everyone add his/her ideas to the list.
Updated by Michael Schams over 1 year ago
Helmut Hummel suggested:
It should include how to avoid SQLi properly, how to avoid XSS and a general recommendation to always use the TYPO3 API for validation, escaping and encoding.
SQLi:- Always escape user input directly before used in a query
- Describe correct ways to escape strings (fullQuoteStr or escapeStrForLike+quoteStr+"'" for like queries)
- Teach to use intval for integers
- Teach to use whitelisting for column or table names
- Always encode before output
- use htmlspecialchars() for html context
- use t3lib_div::qoteJsValue() for JavaScript value context.
- never allow user input in plain JS context
Examples for API that should be used:
t3lib_div::getFileAbsFileName() t3lib_div::validEmail() t3lib_div::verifyFilenameAgainstDenyPattern() t3lib_div::validPathStr()