Clinton Gormley wrote: > HTML::StripScripts::Parser has a default deny everything approach, > and reconstructs the HTML fed to it, so unless it makes sense as > html, it doesn't get passed through and reconstructed.
This sounds like a good approach, but it's worth noting that XSS is fundamentally an escaping problem, not a filtering one. Nitesh Dhanjani discusses this a bit here: http://oreillynet.com/onlamp/blog/2005/10/repeat_after_me_lack_of__outpu.html Chris -- Chris Shiflett http://shiflett.org/
