>
> Now this also escapes what comes from what is generated from
> inside the perl itself (which I know is the correct
> behaviour), what I want is that any user entered data (i.e.
> any externally passed param) is escaped, but not what
> internally generated Perl has done (I.e. a combination
of $escmode 0 and 4).
Is this unfeasible ?
-Original Message-
From: Gerald Richter [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 24 January 2006 6:45 PM
To: 'Pete Moran'; embperl@perl.apache.org
Subject: RE: Cross Site Scripting
Hi,
>
> I know there is probably a simple an
Hi,
>
> I know there is probably a simple answer - according to the
> docs if I set EMBPERL_ESCMODE to 4, then it should fix any
> cross site scripting.
No, 4 is wrong, the best is to use 7 (which is the default). 4 is only for
disableing the special meaning of \ and will do not
I know there is probably a simple answer –
according to the docs if I set EMBPERL_ESCMODE to 4, then it should fix any
cross site scripting.
However if I have a text field called guess, and pass
the following line
?guess=%22%3E%3Cscript%3Ealert('vorsichtfalle!')%3C/scrip
I know there is probably a simple answer – according
to the docs if I set EMBPERL_ESCMODE to 4, then it should fix any cross site
scripting.
However if I have a text field called guess, and pass
the following line
?guess=%22%3E%3Cscript%3Ealert('vorsichtfalle!')%3C/scrip
