Monday, June 23, 2003, 10:33:01 PM, Will Glass-Husain wrote: > Hi, > > Might be okay then. Don't most of the problems with cross-site scripting > vulnerabilities occur with user-entered text that is then displayed. > The point is to prevent a user from inputing <SCRIPT> by turning it into > <SCRIPT>. [snip]
To be more precise, the problem is not only with SCRIPT, but with any HTML. Say, with </body>, or even <a href="someporn.com/pigthing.jpg">... But, the point is that escaping is not only for security reasons. It's good simply because data mostly comes in plain text from, so in principle you should escape most references. In some apps. at least... So it's better if things are escaped by default, and you tell explicitly when you do *not* want to escape a reference. This also eliminates the possibility that the designer simply forgets to escape something. Somebody says that the context should store that data in HTML-escaped from... I don't know. That's not too good IMO. Its a PITA for the programmer. Also, it's the business of the view to deal with output format related problems. Say, what's if I use the same context variable in normal HTML, and in embedded JavaScript-s as well... then the same variable should be escaped in two different ways, so it will not be good if it is already HTML escaped. -- Best regards, Daniel Dekany --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
