What security issues need to be addressed when working with Google App Engine?

Question

I've been considering using Google App Engine for a few hobby projects. While they won't be handling any sensitive data, I'd still like to make them relatively secure for a number of reasons, like learning about security, legal, etc.

What security issues need to be addressed when working with Google App Engine?

Are they the same issues that other applications - like applications written in other languages or hosted in other ways - are faced with?

Edit: I did some searching it looks like I need to sanitize input for XSS and Injection. What are other things to consider?

Answer 1

“Sanitising” input is not the way to avoid query-injection and markup-injection problems. Using the correct form of escaping at the output stage is... or, even better, using a higher-level tool that deals with it for you.

So for preventing query-injection against GQL, use the parameter-binding interface of GqlQuery. For preventing markup-injection against HTML (leading to XSS), use the HTML-escaping feature of whatever templating language you're using. For example, for Django templates, |escape... or, better, {% autoescape on %} so you don't accidentally miss one.