Hi,
Are there any methods/flags/options available in Apache::ASP to help the developer protect against cross-site scripting?
Any other recommendations in this area?
Any bit of dynamic data ( i.e. data you can't trust ) rendered on your page should be escaped with
<%= $Server->HTMLEncode($data) %>
You can create a quick alias for that in global.asa like:
# global.asa sub esc($) { $Server->HTMLEncode(shift) }
and then call
<%= enc($data) %>
or you can turn it into an XMLSubs routine like:
sub my::enc { my($args, $html) = @_; print $main::Server->HTMLEncode($html); }
and then use it like:
<my:enc><%= $data %></my:enc>
I am sure others will have other methods they like to use for this... :-)
Regards,
Josh
________________________________________________________________ Josh Chamas, Founder phone:925-552-0128 Chamas Enterprises Inc. http://www.chamas.com NodeWorks Link Checker http://www.nodeworks.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]