Security in admin plugin

I saw in your blog post you are getting close to version 1.0, congratulations.

I was just wondering if there were any plans to look at security of the admin plugin before the release? In particular CSRF and XSS would seem to be risks once you have a privileged user performing actions via a web interface.

I’m sure we’ll add CSRF tokens in time for form submissions. XSS and content injection also.

Great to hear! I did a bit of experimentation using symfony’s security-csrf package and got a proof of concept working but ran into a few problems with the tokens being saved to the header of pages. I can send you a branch with my progress if it would be helpful.

sure… any help there would be appreciated