- All the sql-queries must be made in repository class. not write/define the SQL queries in command/services class.
- "Ensure all user input is encapsulated using createNamedParameter() within queries generated by the QueryBuilder." to prevent the SQL injection threat.
- In typo3 form, must use the Property mapper cause If an attacker tries to add a field on the client-side, this is detected by the property mapper, and an exception will be thrown. For example,
<f:form.textbox property="email" />- If you want to load the script in fluid template, then load the script file using
<f:asset.script identifier="customJS">alert("XSS");</f:asset.script>instead of this
<script type="text/javascript">alert("XSS");</script>- Never trust user input. So, in forms it must be implemented with validation. And in extbase backend forms, correct tca types or parameters like eval And in the Extbase the validating framework can be useful.
- In every logged in form or link must include a secret token that used to check authentication of request. to prevent Cross-site request forgery (XSRF) threat.