> -----Original Message-----
> From: Jon Stevens [mailto:[EMAIL PROTECTED]]
> Sadly, it seems that the Java world really hasn't taken the cross site
> scripting issues seriously.
<snip>
>How are
> you currently dealing with these issues? What is your favorite
> way to escape
> things? Do you filter/escape all content or only some content?
filter everything for public consumption its safest, its not just <SCRIPT>
you have to watch out for its also pernicious things like <P
onMouseOver="foo();"> which may not work often, but you don't want it to
*ever*, and who is to say which inline event handler will or won't work on
what browser now or in the future, its really the only safe way IMO.
d.
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
