on 11/21/01 1:26 AM, "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote:
> I don't know of any generic solutions to the getStrippedHtml() or > removeScriptTag() methods you propose - but are they still necesary if you > do the getEscapedHtml() processing on everything? > > Craig The issue is whether or not you use 8859_1 as your Content type (and place that in a <meta> tag within the document. If you don't do that, then other encodings have other meanings for the "<" character and someone could use that instead. In other words, if the document is sent out as say UTF-7, then the encoded value of "<" is not "<", it is some other value and that could get rendered by the browser because of browser bugs. This document explains the various methods that we need to implement in CSSCondom... <http://www.cert.org/tech_tips/malicious_code_mitigation.html> -jon -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
