"it's a gross oversimplification to assume that the transformation to be applied to user data is to HTML escape it"
Can you elaborate on this please? If I put <script> into a field and the app html escapes it when it's output on the next page, there's no issue. Where is the oversimplification? -----Original Message----- From: Mike McNally [mailto:[email protected]] Sent: Friday, February 06, 2009 7:01 AM To: Stripes Users List Subject: Re: [Stripes-users] Is XSS filter still needed? In my opinion that filter is a terrible idea anyway. XSS is a real concern, but it's a gross oversimplification to assume that the transformation to be applied to user data is to HTML escape it. -- Turtle, turtle, on the ground, Pink and shiny, turn around. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com _______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com _______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users
