David G Friedman wrote: > Isn't XSS usually an attack for information which changes often (mutable > data, blog comments, etc.) and which should NOT normally include your > site's system messages? So, if your message files get modified to > include XSS code then you either have an employee you should FIRE or a > HACKER which is a bigger problem in and of itself.
XSS can use any mechanism which allows user-supplied input to be fed back to the user's browser. Parameterised error messages are one such mechanism. -- Alan Burlison -- ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
