When building tools for IATI data there are several security issues to be aware of.
When parsing XML, you should be aware of entity based attacks.
You should make sure that:
- user supplied files aren't executable (e.g. if a PHP file is uploaded to the web directory)
Working with IATI Data often involves fetching data from arbitrary URLs. You should check:
- the URLs don't begin file:// as this will expose data on the local filesystem
- the URLs don't point at any sensitive local HTTP(S) services