Submitted by StephenVickersSPV on Thu, 18-Apr-2013 20:51.
Security reminders and character encoding
A reminder for developers
Just thought it would be useful to post a reminder to developers that, as with any web application, you should be conscious of potential exploits and security vulnerabilities in your code. There is nothing intrinisically insecure about LTI, but the UIs built around it can be at risk if appropriate precautions are not taken. Some useful sites about potential exploits (e.g. SQL/XML injection) are:
I am sure there are many others - please post a reply with any you recommend.
I would also like to take this opportunity to note that any data passed in an LTI launch request should be encoded using UTF-8 (as required by OAuth). This is not clearly identified in the LTI specification, but we propose to rectify this in the future. I am not aware of any issues arising from this, so assume that everyone is already using UTF-8 anyway!
Submitted by StephenVickersSPV on Thu, 2013-04-18 20:51
A reminder for developers
I am sure there are many others - please post a reply with any you recommend.
I would also like to take this opportunity to note that any data passed in an LTI launch request should be encoded using UTF-8 (as required by OAuth). This is not clearly identified in the LTI specification, but we propose to rectify this in the future. I am not aware of any issues arising from this, so assume that everyone is already using UTF-8 anyway!