Monday, June 23, 2003, 7:37:11 PM, Will Glass-Husain wrote: > Hi Peter, > > Another useful capability the filter mechanism could implement is escaping > of HTML characters to prevent cross-site scripting vulnerabilities. I think > Daniel Dekany suggested this. > > http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]&msgId=724515
That can't be implemented as a filter, because that escapes only the output of $foo-s. So if you write: #escape(html) ... <p><b>Title: </b> $title ... #end then, assuming that the value of title is "Rome & Juliet", the output is: ... <p><b>Title: </b> Romeo & Juliet ... Only the $title was HTML-escaped, but the static text was not. -- Best regards, Daniel Dekany --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
