Quote:
Originally Posted by Optix
You seems not understand. I'm not talking about the demo, but the CMS in general, because it will be deployed in the future.
Sanitize inputs is a thing, but check the source of the input is an other. That's CRSF : you've to check the source of the request. When you're displaying a form, you're excepting data from this form only and block other requests issued by a foreign site/domain or your own platform.
When you're displaying an action link (like add as friend, logout, delete account etc), only the page where the link is displayed can trigger process. Currently, it's possible to call all your URLs from everywhere (foreign site and your CMS itself).
|
should be fixed on the demosite now.
Bump: Uploading the latest build of openTracker to the demo.. enjoy