Matt Sergeant writes: > Unfortunately there's also a browser bug to contend with. They treat \x8b > (I think that's the right code) as < and there's a similar code for > >. Since most web developers are just doing s/</</g; they are open to > attacks based on character sets like this. Sad, but true. Even our loved > CGI.pm was (is?) open to this bug - I think Lincoln has fixed the > HTMLEncode function now though. Gerald, what about Embperl, does it escape \x8b? Dirk
- Security in displaying arbitrary HTML Jeremy Howard
- Re: Security in displaying arbitrary HTML Marc Slemko
- Re: Security in displaying arbitrary HTML Nick Tonkin
- Re: Security in displaying arbitrary HTML Marc Slemko
- Re: Security in displaying arbitrary HT... Steven Champeon
- Re: Security in displaying arbitra... Vivek Khera
- Re: Security in displaying arb... Steven Champeon
- Re: Security in displaying arb... Marc Slemko
- Re: Security in displaying arb... Matt Sergeant
- Re: Security in displaying... Dirk Lutzebaeck
- Re: Security in displaying... Dirk Lutzebaeck
- RE: Security in displaying... Gerald Richter
- RE: Security in displaying... Matt Sergeant
- Re: Security in displaying... Marc Slemko
- Re: Security in displaying... Matt Sergeant
- Re: Security in displaying... Gunther Birznieks
- Re: Security in displaying arbitrary HTML John M Vinopal
- Re: Security in displaying arbitrary HT... Jeffrey W. Baker
- RE: Security in displaying arbitrary HTML Leon Brocard
