On Fri, Jan 9, 2009 at 11:35 AM, Kornel Lesiński <kor...@aardvarkmedia.co.uk
> wrote:
>
> I disagree. There's nothing wrong with allowing someone to write comment
> like <script>alert('xss')</script>. I just did that! I hope your e-mail
> client didn't execute the code, and didn't remove it either.
> That's why automatic escaping in PHPTAL is such an important feature -
> allows you to safely and losslessly output any* text.
>
>
Right, I didn't made myself clear. I was meaning that if a system allows
HTML input but wants to block some tags like <script> from being used, from
my point of view, those tags should be stripped/sanitized at the input
filter stage and not when outputting the data, mainly for perfomance issues.
regards,
/imv
_______________________________________________
PHPTAL mailing list
PHPTAL@lists.motion-twin.com
http://lists.motion-twin.com/mailman/listinfo/phptal
