On Wed, 11 Apr 2007, Dominic Mitchell wrote: >> I think the person saying it was wrong was implying that a better approach >> is to use a real HTML parser to remove unwanted tags. Take a look at a >> module like HTML::Scrubber. > > My best practice is simply to get mason to escape everything, by > default[1]. Having to explicitly unescape things in order to let > through an XSS attack is a very good idea, IMHO.
I don't like turning on the default escape flags, but that's just habit, I guess. It's not a bad idea. I'm pretty careful about escaping everything except for strings/numbers I know are safe (like ids from the database). But generally speaking, you should always escape your output, either by default or explicitly. -dave /*=================================================== VegGuide.Org www.BookIRead.com Your guide to all that's veg. My book blog ===================================================*/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
