On Fri, Mar 19, 2010 at 10:46 AM, David Connors <[email protected]> wrote: > On 19 March 2010 09:26, Richard Carde <[email protected]> wrote: > > <sarcasm>Thank goodness ASP.NET traps 'dodgy' characters like < and > in > > user supplied data</sarcasm> > > Yup. It is really a very big worry when people writing the framework can be > so fundamentally stupid as to think that avoiding XSS issues is a function > of input, not output.
I think this fact is not particularly obvious to everyone, and the typical MS strategy is to do something that may cause 'more good' than 'more harm' even if people don't like it. Clearly, this is IE's model with it's respect of invalid HTML, and it's the model of RequestValidation. Reasonable programmers should turn it off and - indeed - do everything on *output*, but the few who are able to create websites without understanding anything; maybe this helps them. > -- > David Connors ([email protected]) > Software Engineer > Codify Pty Ltd - www.codify.com > Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 > 189 363 > V-Card: https://www.codify.com/cards/davidconnors > Address Info: https://www.codify.com/contact -- silky http://www.programmingbranch.com/
