Aryeh Gregor wrote on 7/24/2009 5:44 PM: > On Fri, Jul 24, 2009 at 6:26 PM, Bil Corry<b...@corry.biz> wrote: >> That's a classic XSS vulnerability. The backend developer must know if >> there are quotes or not in the template, then encode/sanitize the value >> accordingly. > > It's not XSS if the values are statically provided by the first > developer and aren't generated from user input.
Sure, but I was basing my reply on the provided example: "Then there might come a change, because dev 1 - or the users of the CMS - suddenly starts to produce longer values." Even in the case where the developer is providing the values via a trusted source (say a database), it's still a best practice to encode/sanitize the value. - Bil