> however it comes about is fine, I guess. however, if Apache::Util in 1.3 is left
> un-patched then we're kinda giving a false impression that calling
> Apache::Util::escape_html() is sufficient to thwart CSS attacks when it really only
>keeps
> all but the most clever away.
I guess we shoul
Stas Bekman wrote:
>
> Geoffrey Young wrote:
>
> >>However I'm not sure your patch does the right thing re UTF-8, unless there's
> >>some magic involved that I'm not seeing :-/ I'm no expert on how to deal with
> >>UTF-8 in C (or even in Perl) but it looks like you're only addressing 8bit
> >>en
Geoffrey Young wrote:
>>However I'm not sure your patch does the right thing re UTF-8, unless there's
>>some magic involved that I'm not seeing :-/ I'm no expert on how to deal with
>>UTF-8 in C (or even in Perl) but it looks like you're only addressing 8bit
>>encodings.
>>
>
>
> ok, after some
>
> However I'm not sure your patch does the right thing re UTF-8, unless there's
> some magic involved that I'm not seeing :-/ I'm no expert on how to deal with
> UTF-8 in C (or even in Perl) but it looks like you're only addressing 8bit
> encodings.
ok, after some to and fro with robin over
>
> HTML::Entities correctly turns \x8b into ‹ while Apache::Util leaves it
> untouched. That character is treated by certain buggy browsers as < and can
> thus be used to fake tags. Note that just because your browser isn't
> vulnerable (ie it doesn't buy the fakes h1) doesn't mean that the pro
