diff options
| author | xue <> | 2006-07-16 01:50:23 +0000 |
|---|---|---|
| committer | xue <> | 2006-07-16 01:50:23 +0000 |
| commit | af68030fcf0c266300feb2c100149ecadef7d364 (patch) | |
| tree | 76b7c8ad5d8227870b9ef10c3e7b92a36336b320 /demos/quickstart/protected/pages/Advanced/Security.page | |
| parent | 4b78404c20490a615459267426ce9e6737bf4485 (diff) | |
Merge from 3.0 branch till 1264.
Diffstat (limited to 'demos/quickstart/protected/pages/Advanced/Security.page')
| -rw-r--r-- | demos/quickstart/protected/pages/Advanced/Security.page | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/demos/quickstart/protected/pages/Advanced/Security.page b/demos/quickstart/protected/pages/Advanced/Security.page index 9be7946a..3dbfe0ab 100644 --- a/demos/quickstart/protected/pages/Advanced/Security.page +++ b/demos/quickstart/protected/pages/Advanced/Security.page @@ -10,7 +10,7 @@ Viewstate lies at the heart of PRADO. Viewstate represents data that can be used It is extremely important to ensure that viewstate is not tampered by end users. Without protection, malicious users may inject harmful code into viewstate and unwanted instructions may be performed when page state is being restored on server side.
</p>
<p>
-To prevent viewstate from being tampered, PRADO enforces viewstate HMAC (Keyed-Hashing for Message Authentication) check before restoring viewstate. Such a check can detect if the viewstate has been tampered or not by end users. Should the viewstate is modified, PRADO will stop restoring the viewstate and return an error message.
+To prevent viewstate from being tampered, PRADO enforces viewstate HMAC (Keyed-Hashing for Message Authentication) check before restoring viewstate. Such a check can detect if the viewstate has been tampered or not by end users. Should the viewstate is modified, PRADO will stop restoring the viewstate and return an error message.
</p>
<p>
HMAC check requires a private key that should be secret to end users. Developers can either manually specify a key or let PRADO automatically generate a key. Manually specified key is useful when the application runs on a server farm. To do so, configure <tt>TSecurityManager</tt> in application configuration,
@@ -31,7 +31,7 @@ HMAC check does not prevent end users from reading the viewstate content. An add Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool other application users and gather data from them. For example, a poorly design forum system may display user input in forum posts without any checking. An attacker can then inject a piece of malicious JavaScript code into a post so that when other users read this post, the JavaScript runs unexpectedly on their computers.
</p>
<p>
-One of the most important measures to prevent XSS attacks is to check user input before displaying them. One can do HTML-encoding with the user input to achieve this goal. However, in some situations, HTML-encoding may not be preferrable because it disables all HTML tags.
+One of the most important measures to prevent XSS attacks is to check user input before displaying them. One can do HTML-encoding with the user input to achieve this goal. However, in some situations, HTML-encoding may not be preferable because it disables all HTML tags.
</p>
<p>
PRADO incorporates the work of <a href="http://pixel-apes.com/safehtml/">SafeHTML</a> and provides developers with a useful component called <tt>TSafeHtml</tt>. By enclosing content within a <tt>TSafeHtml</tt> component tag, the enclosed content are ensured to be safe to end users. In addition, the commonly used <tt>TTextBox</tt> has a <tt>SafeText</tt> property which contains user input that are ensured to be safe if displayed directly to end users.
@@ -51,7 +51,7 @@ There are several countermeasures to prevent cookies from being attacked. <li>Validate cookie data and detect if they are altered.</li>
</ul>
<p>
-Prado implements a cookie validation scheme that prevents cookies from being modified. In particular, it does HMAC check for the cookie values if cookie validation is enable.
+PRADO implements a cookie validation scheme that prevents cookies from being modified. In particular, it does HMAC check for the cookie values if cookie validation is enable.
</p>
<p>
Cookie validation is disabled by default. To enable it, configure the <tt>THttpRequest</tt> module as follows,
@@ -62,7 +62,7 @@ Cookie validation is disabled by default. To enable it, configure the <tt>THttpR </modules>
</com:TTextHighlighter>
<p>
-To make use of cookie validation scheme provided by Prado, you also need to retrieve cookies through the <tt>Cookies</tt> collection of <tt>THttpRequest</tt> by using the following PHP statements,
+To make use of cookie validation scheme provided by PRADO, you also need to retrieve cookies through the <tt>Cookies</tt> collection of <tt>THttpRequest</tt> by using the following PHP statements,
</p>
<com:TTextHighlighter CssClass="source">
foreach($this->Request->Cookies as $cookie)
|