From 45d27af4cd3372d3f3a4158971210df5b2b420f3 Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Mon, 17 Feb 2025 04:35:32 +0800 Subject: [PATCH] chore: security - note data sanitation and validation in the node backend --- docs/pages/security.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/security.mdx b/docs/pages/security.mdx index 2323bd6..c98f91b 100644 --- a/docs/pages/security.mdx +++ b/docs/pages/security.mdx @@ -47,7 +47,7 @@ ACAP's [Firestore Security Rules](https://firebase.google.com/docs/firestore/sec ``` -[ACAP 2.0](/changelog/#version-2-acap-20) allowed users to edit crop recommendations, a new feature introduced in **version 2.0** through weak Firestore Security Rules, making it vulnerable to **Cross-Site Scripting (XSS)**. This lets **unauthorized clients** (e.g., Postman) modify WYSIWYG-form data without protection if accessed from the [Firestore REST APIs](https://cloud.google.com/firestore/docs/reference/rest/). Allowing these in the Firestore Security Rules contradicts the best practices outlined in the [Database](#database) section, which advocates for data mutation with thorough data validation in the **Node backend**. +[ACAP 2.0](/changelog/#version-2-acap-20) allowed users to edit crop recommendations, a new feature introduced in **version 2.0** through weak Firestore Security Rules, making it vulnerable to **Cross-Site Scripting (XSS)**. This lets **unauthorized clients** (e.g., Postman) modify WYSIWYG-form data without protection if accessed from the [Firestore REST APIs](https://cloud.google.com/firestore/docs/reference/rest/). Allowing these in the Firestore Security Rules contradicts the best practices outlined in the [Database](#database) section, which advocates for data mutation with thorough data validation/sanitation in the **Node backend**. For more details, refer to GitHub Issues in the parent **acap-v2 repository** ([[1]](https://github.com/amia-cis/acap-v2/issues/34), [[2]](https://github.com/amia-cis/acap-v2/issues/57)) or check the **Firebase Storage Announcements 2024** under the [Are there security concerns I should be aware of?](/announcements/firebase-storage-2024#security-considerations) section for information and reference.