summaryrefslogtreecommitdiff
path: root/doc/doc-docbook/spec.xfpt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/doc-docbook/spec.xfpt')
-rw-r--r--doc/doc-docbook/spec.xfpt12
1 files changed, 12 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5915a3af3..ccfa4424a 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -9453,10 +9453,22 @@ the data type. ACL rules always expand strings. A couple of expansion
conditions do not expand some of the brace-delimited branches, for security
reasons,
.cindex "tainted data" expansion
+.cindex "tainted data" definition
.cindex expansion "tainted data"
and expansion of data deriving from the sender (&"tainted data"&)
is not permitted.
+.new
+Common ways of obtaining untainted equivalents of variables with
+tainted values
+.cindex "tainted data" "de-tainting"
+come down to using the tainted value as a lookup key in a trusted database.
+This database could be the filestem structure,
+or the password file,
+or accessed via a DBMS.
+Specific methods are indexed under &"de-tainting"&.
+.wen
+
.section "Literal text in expanded strings" "SECTlittext"
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-05 21:16:45 +0000