I think this is the same as Jira issue 113 that I created yesterday. (https://issues.apache.org/jira/browse/ESME-113).
Escaping is the right thing to do on the server side, I think, but why aren't these HTML entity codes getting displayed as the correct characters by the browser? Ethan On Thu, Oct 15, 2009 at 10:08 PM, David Pollak <[email protected]> wrote: > On Thu, Oct 15, 2009 at 6:51 PM, Xuefeng Wu <[email protected]> wrote: > >> Hi, >> >> I try to input message like this: >> >> Testing <script>alert('test')</script> >> Show: >> Testing <script>alert</script> >> > > Oooo.... that's a can of worms. Knowing which things are escaped and which > are not is tricky and potentially a huge security risk. > > I would encourage escaping all Strings unless they are clearly marked as "do > not escape" > > >> >> >> I think the message should be unescape before display. >> >> -- >> Scala中文社区: http://groups.google.com/group/scalacn >> > > > > -- > Lift, the simply functional web framework http://liftweb.net > Beginning Scala http://www.apress.com/book/view/1430219890 > Follow me: http://twitter.com/dpp > Surf the harmonics >
