Quote:
Originally Posted by kizze
Yeah we got a development website where it is fixed, but not on the demo.
But we removed the avatar and disabled the demo user from being editable
|
You seems not understand. I'm not talking about the demo, but the CMS in general, because it will be deployed in the future.
Sanitize inputs is a thing, but check the source of the input is an other. That's CRSF : you've to check the source of the request. When you're displaying a form, you're excepting data from this form only and block other requests issued by a foreign site/domain or your own platform.
When you're displaying an action link (like add as friend, logout, delete account etc), only the page where the link is displayed can trigger process. Currently, it's possible to call all your URLs from everywhere (foreign site and your CMS itself).