Hey guys, I'm gonna start this as an [OT] as a courtesy.
Found a scenario where filtering the output won't do, I think.
I'm doing an all ajax webapp.
I send an internal mail message to a users inbox,
the same as a user-to-user would.
Embedded in the message is this:
<div style="margin: 0px auto;">
<a onclick="sayYes('203895');">YES</a>
<a onclick="sayNo('203895');">NO</a>
</div>
The javascript functions do ajax stuff ( I use dojo.io, mostly ).
The same code in my system sends this and sends a user's mail message.
The difference:
1) when a user submits a message via a rich text wysiwyg,
my XSS filter would clean this type of stuff out.
2) when my server code sends this stuff, it goes without a hitch
-Joe
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
