Security Information for Portlet Developers
- Jen Bourey
Owned by Jen Bourey
SQL Injection
Most Jasig code uses Hibernate or Hibernate backed JPA. Code which does not use these technologies should at least use prepared statements.
Cross-side Scripting (XSS)
Many Jasig porlets make use of Spring's escapeBody tag to perform HTML and JavaScript escaping.
The Manchester News Reader portlet uses OWASP Anti-Samy to clean dangerous tags from RSS feeds. This tool allows a developer to configurably strip HTML tags from proxied content.
Encryption of sensitive data
Most portlets should not need to store user passwords. However, for a portlet that does store potentially sensitive data, user data should be encrypted using some secure algorithm. Useful encryption resources might include Jasypt or Bouncy Castle.