https://issues.apache.org/bugzilla/show_bug.cgi?id=43497
--- Comment #6 from Nacho Coloma <icol...@gmail.com> 2011-03-03 07:46:15 EST ---
I disagree. 99% of the XSS injection cases are described in the mentioned link
as RULE #1: escape HTML. Even worse, 99% of these cases could be implemented by
simply escaping < or any UTF-8 equivalent (some of the escaped characters
proposed in the link, like > do not have any known exploits in modern
browsers).
We are talking about any use of ${user.name}, ${post.contents}, ${comment}.
These are by far the most common use case. Other cases:
* Cases where sanitizing is NOT desired: you can always fallback to <c:out>
* A command-line flag can be used to disable sanitizing altogether.
* Cases where extra processing is desired (like attribute escaping): for these
cases the programmer can invoke extra functions.
I have to say, I have not found a single case where attribute escaping (or
javascript for that matter) was required. I don't mind sanitizing these by
hand, but this patch would make 99% of Tomcat applications safer by default.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
