The s2 hidden tag (and other input tags) does no escape html characters by default as the property tag does. This can lead easily to XSS attacks if you develop a stateless application in which the client is maintaining state. Is there a good reason for this? I think a sensible default would be to escape html in all input tags. What do you think?
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
