Some good points-- Thanks! Ok, I'll quiet down now. Just wanted to throw out a potential application for Peter's proposal. Didn't mean to unduly distract the conversation. Back to filtering.
WILL ----- Original Message ----- From: "Daniel Dekany" <[EMAIL PROTECTED]> To: "Velocity Developers List" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 1:54 PM Subject: Re: Proposal: Filters > Monday, June 23, 2003, 10:33:01 PM, Will Glass-Husain wrote: > > > Hi, > > > > Might be okay then. Don't most of the problems with cross-site scripting > > vulnerabilities occur with user-entered text that is then displayed. > > The point is to prevent a user from inputing <SCRIPT> by turning it into > > <SCRIPT>. > [snip] > > To be more precise, the problem is not only with SCRIPT, but with any > HTML. Say, with </body>, or even <a href="someporn.com/pigthing.jpg">... > > But, the point is that escaping is not only for security reasons. It's > good simply because data mostly comes in plain text from, so in > principle you should escape most references. In some apps. at least... > So it's better if things are escaped by default, and you tell explicitly > when you do *not* want to escape a reference. This also eliminates the > possibility that the designer simply forgets to escape something. > > Somebody says that the context should store that data in HTML-escaped > from... I don't know. That's not too good IMO. Its a PITA for the > programmer. Also, it's the business of the view to deal with output > format related problems. Say, what's if I use the same context variable > in normal HTML, and in embedded JavaScript-s as well... then the same > variable should be escaped in two different ways, so it will not be good > if it is already HTML escaped. > > -- > Best regards, > Daniel Dekany > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
