Greg Beaver:
[ Charset ISO-8859-1 unsupported, converting... ]
> (Wietse Venema) wrote:
> > Rasmus Lerdorf:
> >>> I don't think it's unreasonable to require scripts outputting content
> >>> other than HTML to include a line that modifies the default behaviour.
> >>> Surely the benefits far outweigh
(Wietse Venema) wrote:
> Rasmus Lerdorf:
>>> I don't think it's unreasonable to require scripts outputting content
>>> other than HTML to include a line that modifies the default behaviour.
>>> Surely the benefits far outweigh that cost.
>> That's already there. They set the content-type. The pro
Stut:
> > That's already there. They set the content-type. The problem becomes
> > when they set it vs. when output goes out. It's also very common to
> > turn on output buffering and buffer a bunch of stuff and then set the
> > content-type just before flushing the buffer.
>
> Maybe it's enoug
Rasmus Lerdorf:
> > I don't think it's unreasonable to require scripts outputting content
> > other than HTML to include a line that modifies the default behaviour.
> > Surely the benefits far outweigh that cost.
>
> That's already there. They set the content-type. The problem becomes
> when the
Rasmus Lerdorf wrote:
Stut wrote:
Wietse Venema wrote:
Rasmus Lerdorf:
Wietse Venema wrote:
Rasmus Lerdorf:
Consider very common (abbreviated) code like this:
$user_data = $_REQUEST['data'];
switch($output_format) {
Question: where is the output format feature documented?
Once I know the
Stut wrote:
> Wietse Venema wrote:
>> Rasmus Lerdorf:
>>> Wietse Venema wrote:
Rasmus Lerdorf:
> Consider very common (abbreviated) code like this:
>
> $user_data = $_REQUEST['data'];
> switch($output_format) {
Question: where is the output format feature documented?
Wietse Venema:
> Rasmus Lerdorf:
> > Wietse Venema wrote:
> > > Rasmus Lerdorf:
> > >> Consider very common (abbreviated) code like this:
> > >>
> > >> $user_data = $_REQUEST['data'];
> > >> switch($output_format) {
> > >
> > > Question: where is the output format feature documented?
> > >
> > >
Wietse Venema wrote:
Rasmus Lerdorf:
Wietse Venema wrote:
Rasmus Lerdorf:
Consider very common (abbreviated) code like this:
$user_data = $_REQUEST['data'];
switch($output_format) {
Question: where is the output format feature documented?
Once I know the output format is not HTML, then I kn
Wietse Venema wrote:
> Rasmus Lerdorf:
>> Wietse Venema wrote:
>>> Rasmus Lerdorf:
Consider very common (abbreviated) code like this:
$user_data = $_REQUEST['data'];
switch($output_format) {
>>> Question: where is the output format feature documented?
>>>
>>> Once I know the out
Rasmus Lerdorf:
> Wietse Venema wrote:
> > Rasmus Lerdorf:
> >> Consider very common (abbreviated) code like this:
> >>
> >> $user_data = $_REQUEST['data'];
> >> switch($output_format) {
> >
> > Question: where is the output format feature documented?
> >
> > Once I know the output format is not
Wietse Venema wrote:
> Rasmus Lerdorf:
>> Consider very common (abbreviated) code like this:
>>
>> $user_data = $_REQUEST['data'];
>> switch($output_format) {
>
> Question: where is the output format feature documented?
>
> Once I know the output format is not HTML, then I know
> that applying HT
Rasmus Lerdorf:
> Consider very common (abbreviated) code like this:
>
> $user_data = $_REQUEST['data'];
> switch($output_format) {
Question: where is the output format feature documented?
Once I know the output format is not HTML, then I know
that applying HTML-style restrictions is not appropr
Wietse Venema wrote:
> M. Sokolewicz:
>> (Wietse Venema) wrote:
>>> laurent jouanneau:
(Wietse Venema) wrote:
> To give an idea of the functionality, consider the following program
> with an obvious HTML injection bug:
>
> $username = $_GET['username'];
> e
M. Sokolewicz:
> (Wietse Venema) wrote:
> > laurent jouanneau:
> >> (Wietse Venema) wrote:
> >>> To give an idea of the functionality, consider the following program
> >>> with an obvious HTML injection bug:
> >>>
> >>> >>> $username = $_GET['username'];
> >>> echo "Welcome back, $user
(Wietse Venema) wrote:
laurent jouanneau:
(Wietse Venema) wrote:
To give an idea of the functionality, consider the following program
with an obvious HTML injection bug:
With default .ini settings, this program does exactly what the
programmer wrote: it echos the contents of the username
laurent jouanneau:
> (Wietse Venema) wrote:
> > To give an idea of the functionality, consider the following program
> > with an obvious HTML injection bug:
> >
> > > $username = $_GET['username'];
> > echo "Welcome back, $username\n";
> > ?>
> >
> > With default .ini settings, t
(Wietse Venema) wrote:
To give an idea of the functionality, consider the following program
with an obvious HTML injection bug:
With default .ini settings, this program does exactly what the
programmer wrote: it echos the contents of the username request
attribute, including all the malici
17 matches
Mail list logo
