Does playframework 1.x handle cross site scripting (xss)?
-
11-12-2019 - |
Question
I'm using the playframework with version 1.2.5 and I have just a simple Question.
If I use for example:
public static User findByUsername(String username) {
return User.find("username = ?", username).first();
}
So if I perform this call, does the "JPAQuery find()" or the playframework prevent cross site scripting and such things?
If not, what do I have easily to do for preventing it in all my database interactions?
Thanks a lot.
Cheers,
Marco
Solution
Cross-site scripting does not quite apply to the code you posted, so I suppose you mean SQL injection. In that case, the code you posted should be safe. (The wrong way would be to build the query by concatenating Strings with +
operator.)
See here: http://www.playframework.org/documentation/1.2.5/security#sql
OTHER TIPS
Since version 1.0.1, Play’s template engine automatically escapes string. More details on this page: playframework owasp top 10