Does playframework 1.x handle cross site scripting (xss)?

StackOverflow https://stackoverflow.com//questions/11657016

Question

I'm using the playframework with version 1.2.5 and I have just a simple Question.

If I use for example:

public static User findByUsername(String username) {
    return User.find("username = ?", username).first();
}

So if I perform this call, does the "JPAQuery find()" or the playframework prevent cross site scripting and such things?

If not, what do I have easily to do for preventing it in all my database interactions?

Thanks a lot.

Cheers,

Marco

Was it helpful?

Solution

Cross-site scripting does not quite apply to the code you posted, so I suppose you mean SQL injection. In that case, the code you posted should be safe. (The wrong way would be to build the query by concatenating Strings with + operator.)

See here: http://www.playframework.org/documentation/1.2.5/security#sql

OTHER TIPS

Since version 1.0.1, Play’s template engine automatically escapes string. More details on this page: playframework owasp top 10

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top