Document common security precautions
|Reported by:||GrumpySimon||Owned by:||jacob|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Some discussion of the security precautions needed ( or not ) during application development is, I think, essential for a web application framework.
- what should people do to protect against SQL injection? Do we need to run an escaping on incoming data or is it sanitised elsewhere?
- What about Cross Site Scripting?
- Is there an equivalent of something like PHP's http://www.php.net/htmlspecialchars to sanitise potentially dodgy user inputted text?
- What type of queries should be avoided as hard on the database ( e.g. is foo.get_object( pk=1, select_related=True ) going to melt down your RDBMS ).
- How is the admin section secured?
- Has anyone completed a security audit of the backend code?