On Fri, Jan 9, 2009 at 11:35 AM, Kornel Lesiński <kor...@aardvarkmedia.co.uk
> wrote:

> I disagree. There's nothing wrong with allowing someone to write comment
> like <script>alert('xss')</script>. I just did that! I hope your e-mail
> client didn't execute the code, and didn't remove it either.
> That's why automatic escaping in PHPTAL is such an important feature -
> allows you to safely and losslessly output any* text.
Right, I didn't made myself clear. I was meaning that if a system allows
HTML input but wants to block some tags like <script> from being used, from
my point of view, those tags should be stripped/sanitized at the input
filter stage and not when outputting the data, mainly for perfomance issues.

PHPTAL mailing list

Reply via email to