Docs could include more advice on securing apps

[SoniEx2]

This part of the README talks about SQL injection https://github.com/sailorproject/sailor/blob/master/README.md#creating-pages

but I only see XSS.

[Etiene]

Where do you see XSS?

When I talk about SQL injection I mean the methods in the model module that escape the values passed before building the query to pass to the db module. (or not)
(https://github.com/sailorproject/sailor/blob/master/src/sailor/model.lua#L203)
(https://github.com/sailorproject/sailor/blob/master/src/sailor/model.lua#L258)

[SoniEx2]

Ah, I thought you meant user input being used as-is in the resulting HTML...

[felipedaragon]

Can this issue be closed? PS: you might want to open another because I heard Robotnik is back in the Emerald Hill :)

[SoniEx2]

@felipedaragon idk if you know this but putting an username in a webpage without escaping HTML elements = XSS, e.g. let's say the username is <script src="some_dangerous_script.js"></script> and you don't escape it, so now your page's HTML looks like Hello <script src="some_dangeours_script.js"></script>, and the browser runs the script.

Nothing in the README seems to indicate page:render() escapes those (and it shouldn't, because being able to dynamically select HTML content like that is useful, instead escaping should be done by the user).

[felipedaragon]

@SoniEx2 are you suggesting the creation of a special readme with basic secure coding tips for Sailor users? Some years ago I wrote an article about a dozens of similar scenarios, not just covering XSS but other potential issues: http://seclists.org/fulldisclosure/2014/May/128

[SoniEx2]

I'm suggesting the README should warn about XSS, as it's relevant to the given example.

[felipedaragon]

@SoniEx2 @Etiene here is an example of how another framework (Django) tackled this in their documentation: https://docs.djangoproject.com/en/1.9/topics/security/