How does Janrain Handle SQL injections?

Owned by JP Rowan (Unlicensed)
Jan 24, 2017
1 min read

The short answer is that any data inputs that pass the data validations you have in place for each field will be returned, unescaped, when they are called. Escaping the data should be done before rendering it.

A longer explanation of why:

In general, data from a data source (such as our database) should be considered un-trusted in the context of rendering that data within the DOM.

When rendering the data, it should be escaped based on the context to which the data is being rendered. You escape when rendering so that the data can be properly escaped based on where/how it's being rendered. Escaping may vary between HTML, XML, Javascript, etc. Check out the OWASP XSS Prevention Cheat Sheet for more on that.

This is handled correctly in the widget, so you can know that within the widget, we are properly escaping the data when rendering it.

Also, there is the issue of input validation/sanitization. It is the customer's responsibility, with our guidance, to protect the integrity of the data they store across all points of integration. The customer should validate and/or sanitize input data based on what is valid for the piece of data they are collecting (regardless of the context to which it may be rendered). For example, if there are requirements around characters are valid and allowed in displayName then (a) require us to add a validation for end-user input in the widget and (b) apply the same logic to any back-end integration using the API.