On Tue, Jan 22, 2002 at 07:11:28PM +0100, Robin Berjon wrote:
> On Tuesday 22 January 2002 19:04, Perrin Harkins wrote:
> > Of course I set the charset, but I didn't know that might not be enough.
> > Does anyone know if Apache::Util::escape_html() and
> > HTML::Entities::encode() are safe?
>
> A quick look (I could be wrong) at HTML::Entities seems to imply that it
> should be safe, as it uses numeric encoding for characters that it doesn't
> recognize. I don't know about Apache::Util.
BTW, if you don't html-escape and just search for tags you should make
sure to HTML::Entities::decode() the text before processing it.
I've seen cases where people disguised scripting code with numeric
entities.. jav&...;script etc...
--
Paul Lindner [EMAIL PROTECTED] ||||| | | | | | | | | |
mod_perl Developer's Cookbook http://www.modperlcookbook.org
Human Rights Declaration http://www.unhchr.ch/udhr/index.htm
