> This sounds like a good approach, but it's worth noting that XSS is > fundamentally an escaping problem, not a filtering one. Nitesh Dhanjani > discusses this a bit here: > > http://oreillynet.com/onlamp/blog/2005/10/repeat_after_me_lack_of__outpu.html >
Yes and no. From the article: ----------------- Therefore, I frequently come across situations where developers fix XSS problems by attempting to filter out meta-characters (<, >, /, “, ‘, etc). At times, if an exhaustive list of meta-characters is used, it does solve the problem, but it makes the application less friendly to the end user – a large set of characters are deemed forbidden. ------------------ If the input that you are wanting to display is (eg) a surname, then certainly, escaping will serve your purposes. However, if you are wanting your user to be able to input HTML and then view it as HTML, escaping isn't sufficient. The combination is required. ________________________________________________________________________ Clinton Gormley [EMAIL PROTECTED] www.TravelJury.com - For travellers, By travellers
