Perhaps the real answer here is to turn on input filtering by default so we defeat XSS once and for all across the board.
On Sun, 8 Feb 2004, Derick Rethans wrote: > Hey, > > while reading the session documentation today > (en/reference/session/reference.xml) I noticed the following: > > To continue, <A HREF="nextpage.php?<?php echo strip_tags (SID)?>">click > here</A> > > The strip_tags() is used when printing the SID in order to prevent XSS > related attacks. > > What's the point of having the SID support < and > anyway and can't we > just do the 'strip_tags' internally. The usage of strip_tags() in the > example is now needed, but it looks, well, kinda strange that it is > needed. > > regards, > Derick > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
