On Fri, Jan 9, 2009 at 11:35 AM, Kornel Lesiński <kor...@aardvarkmedia.co.uk > wrote:
> > I disagree. There's nothing wrong with allowing someone to write comment > like <script>alert('xss')</script>. I just did that! I hope your e-mail > client didn't execute the code, and didn't remove it either. > That's why automatic escaping in PHPTAL is such an important feature - > allows you to safely and losslessly output any* text. > > Right, I didn't made myself clear. I was meaning that if a system allows HTML input but wants to block some tags like <script> from being used, from my point of view, those tags should be stripped/sanitized at the input filter stage and not when outputting the data, mainly for perfomance issues. regards, /imv
_______________________________________________ PHPTAL mailing list PHPTAL@lists.motion-twin.com http://lists.motion-twin.com/mailman/listinfo/phptal