haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,744 Commits 42 Branches 853 Tags 10 MiB
Haskell 99.6%
HTML 0.2%
Dockerfile 0.1%
b50ca99566
Go to file
Evan Rutledge Borden b50ca99566 Deprecate insecure JSON body functions 
`parseJsonBody` and `requireJsonBody` do not require a mime type when
parsing `JSON` content. This leaves them open to CSRF. They are now
deprecated and `insecure` versions are added in their place. Consumers
are now given a proper choice between secure and insecure functions.

There is a potential attack vector in that the browser does not trigger
CORS requests for "simple requests", which includes POST requests that
are form or text content-types. An attacker can craft a form whose body
is valid JSON, and when a user visits attacker.com and submits that
form, it can be submitted to bank.com and bypass CORS.

Checking the content-type is application/json prevents this, because if
the content-type was set to application/json, then the browser would
send a CORS request—a preflight OPTIONS request to the server asking if
the current domain (and some other values) are whitelisted to send
requests to that server. If the server doesn't say attacker.com is
whitelisted, the browser will not send the real request to the server.
2019-01-24 09:12:48 -06:00
.github stack list-dependencies is deprecated 2018-06-06 20:39:56 +05:30
demo Added an example with email auth and an ses mailer 2015-12-05 20:21:38 -07:00
yesod deleted: unneed cabal build-depends by weeder 2018-06-09 13:15:21 +09:00
yesod-auth Merge branch 'update-persistent' of https://github.com/DanBurton/yesod 2018-10-14 10:47:23 +03:00
yesod-auth-oauth Fix typo in deprecation message 2018-12-27 17:31:58 -08:00
yesod-bin Relax upper bound (fixes #1566) 2018-12-19 08:28:07 +02:00
yesod-core Deprecate insecure JSON body functions 2019-01-24 09:12:48 -06:00
yesod-eventsource deleted: unneed cabal build-depends by weeder 2018-06-09 13:15:21 +09:00
yesod-form updated ChangeLog 2019-01-19 13:12:29 -05:00
yesod-newsfeed Version bumps and changelog updates 2018-01-15 15:57:36 +02:00
yesod-persistent Updated changelogs and versions for #1561 2018-10-11 14:21:17 -04:00
yesod-sitemap deleted: unneed cabal build-depends by weeder 2018-06-09 13:15:21 +09:00
yesod-static Updated changelogs and versions for #1561 2018-10-11 14:21:17 -04:00
yesod-test [yesod-test] Add utility functions to modify cookies 2019-01-14 16:12:32 -08:00
yesod-websockets Eliminate deprecation warnings when building websockets sample.hs 2019-01-07 20:12:12 -05:00
.gitignore Add .DS_Store to .gitignore file 2018-01-24 08:33:46 -08:00
.travis.yml More LTSes are tested 2019-01-22 20:09:05 +02:00
appveyor.yml More LTSes are tested 2019-01-22 20:09:05 +02:00
CODE_OF_CONDUCT.md Switch CoC to Contributor Covenant 2017-12-06 16:02:01 +02:00
CONTRIBUTING.md Respond to @psibi's comments 2017-11-08 22:43:51 -08:00
Dockerfile add a Dockerfile for haskell development 2015-05-27 11:43:16 -04:00
LICENSE Switch to copyright year range #617 2017-02-27 09:47:45 +02:00
README Formatted README a bit 2009-07-14 20:52:09 +03:00
README.md Add travis badge to README 2016-09-01 19:54:18 +03:00
ReleaseNotes.md notes were out of date, seem to be maintained on wiki, noted such 2013-01-03 21:09:54 -08:00
sources.txt Version bumps for 1.4 release 2014-09-21 11:41:37 +03:00
stack-lts-9.yaml unliftio extra-deps 2018-06-03 14:54:21 -06:00
stack-persistent-2-9.yaml Fix extra-deps 2018-10-14 10:49:12 +03:00
stack.yaml More LTSes are tested 2019-01-22 20:09:05 +02:00

README.md

Build Status

Yesod Web Framework

An advanced web framework using the Haskell programming language. Featuring:

  • safety & security guaranteed at compile time
  • developer productivity: tools for all your basic web development needs
  • raw performance
    • fast, compiled code
    • techniques for constant-space memory consumption
  • asynchronous IO
    • this is built in to the Haskell programming language (like Erlang)

Learn more about Yesod on its main website. If you want to get started using Yesod, we strongly recommend the quick start guide, based on the Haskell build tool stack.

Hacking on Yesod

Yesod consists mostly of four repositories:

git clone --recursive http://github.com/yesodweb/shakespeare
git clone --recursive http://github.com/yesodweb/persistent
git clone --recursive http://github.com/yesodweb/wai
git clone --recursive http://github.com/yesodweb/yesod

Each repository can be built with stack build.