On Wed, May 14, 2008 at 05:20:52PM -0000, [EMAIL PROTECTED] wrote: > It appears there is little that web servers can do to thwart this, > short of changing all '+' characters to %2B. That seems excessive.
To be fair, this is what Microsoft has recommended, explicitly for the purpose of preventing XSS, for *at least* the last 6 years. The library I use does indeed encode "+" as "+".
