On Fri, 22 Mar 2013 07:21:25 -0700 (PDT) John Hardin <jhar...@impsec.org> wrote:
> I suggested HTML-escaping the attachment filenames during the page > generation as the standard solution Well, yes. Any content that lands on your doorstep needs to be treated carefully. :) > but I think there's still a desire to prevent suspicious content > from getting that far in the first place. Sure, but trying to determine all the possible attack vectors is futile. Better just to make your code robust by HTML-escaping everything before sending it to the browser. Regards, David.
