Built-in security features

SQL injection protection

Generally you do not need to worry about SQL injection unless you are creating your own custom queries.

XSS protection

Cross-site scripting (XSS) enables attackers to inject client-side script into Web pages viewed by other users. XSS protection is built-in to Outlast Framework and enabled by default. To allow safe content to be displayed you can use the |safe filter (see documentation) – a filter that you should always use on {{ofw.js}} since it is by definition javascript but is guaranteed to be safe:


You can enable or disable XSS protection by updating site/index.php. Use the configuration:

$zajconf['feature_xss_protection_enabled'] = true;

CSRF protection

Cross-site request forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

[todo: add docs]

Outlast Web & Mobile Development (c) 2023 | Privacy Policy |