On Wed, 6 Mar 2013, Sharma, Ashish wrote:
I have a mail receiving server that parses incoming emails for email
attachment and the files are listed on a web page for users to see.
Here I need to check for email attachment name for containing Javscript
code that could get potentially executed when displayed on a webpage.
Why not just HTML-escape the filenames as a standard practice?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
-----------------------------------------------------------------------
4 days until Daylight Saving Time begins in U.S. - Spring Forward
