Hi, Of course we have to watch out when user generated input - is included in an HTML/XML document (escape <, >, ...) or - if someone would manually concat SQL queries (don't do that) to avoid XSS attacks and SQL injections.
What filtering or escaping do we have to consider for contentStream.showText( ... )? Could attackers bring in JavaScripts, evil active content, attachments, ... into the PDF document, if they could control the String parameter of showText? If that is the case, what filtering or escaping has one to do before passing a String to showText? Is there a ready-to-use function? Or something like a "PreparedStatement" for text to be written? ( contentStream.showText( "User ? likes ?.", evilUserInput, iceCreamChoice ) ) Yours, Reg --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org For additional commands, e-mail: users-h...@pdfbox.apache.org
