Dave Rolsky wrote: > On Wed, 11 Apr 2007, Dominic Mitchell wrote: > >>> I think the person saying it was wrong was implying that a better approach >>> is to use a real HTML parser to remove unwanted tags. Take a look at a >>> module like HTML::Scrubber. >> My best practice is simply to get mason to escape everything, by >> default[1]. Having to explicitly unescape things in order to let >> through an XSS attack is a very good idea, IMHO. > > I don't like turning on the default escape flags, but that's just habit, I > guess. It's not a bad idea. I'm pretty careful about escaping everything > except for strings/numbers I know are safe (like ids from the database).
I'm just grateful that Mason actually allows me to do this. It's one of the few web development environments that you _can_ enable escape-by-default. Thankfully, it also makes it easy to not escape when you want to do that. > But generally speaking, you should always escape your output, either by > default or explicitly. Yup. I've always been astonished that tools that purport to generate HTML are so unwilling to actually generate HTML by escaping things for you. It seems a serious deficiency. I'd really, really like my tools to do this for me, because I sure as hell can't remember to do this correctly 100% of the time. -Dom ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Mason-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/mason-users
