2009/10/8 The Editor <[email protected]>: > 3) It is faster to escape whatever needs escaping when the content is > saved to a page, than to escape it repeatedly every time it is > retrieved into a page. In other words we are not double encoding, we > are pre-encoding. So we only have to do it once, not multiple times.
This is a wrong policy from a security point of view. The text in a saved file is not a problem. But it may become a problem if the output to HTML fails to make sure that < characters are htmlencoded. A < can exists in lots of coded forms in a text source. and whatever is in the page source may get modified in numerous ways. The encoding for the HTML output is essential. Pre-encoding when you save to page is no guarantee to be safe. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "BoltWire" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/boltwire?hl=en -~----------~----~----~----~------~----~------~--~---
