Ron Savage wrote:
> On Wed, 2008-02-06 at 17:16 -0500, Michael Peters wrote:
> 
> Hi Michael
> 
>> This is why escaping any data that could potentially come from a user is so
>> important.
> 
> Not just escaping. OP should be warned that server code cannot just rely
> on Javascript-base validation. Someone might disable Javascript and
> sumbit something nasty. That means the validation should be duplicated
> on the server too. And yes, that's a PITA.

Very true. In fact, I almost never do Javascript validation because of this. Why
duplicate my effort? But, it's important to remember that unless you're allowing
your users to submit HTML or JS code, validation is not what prevents XSS. It's
output encoding:

http://www.oreillynet.com/onlamp/blog/2005/10/repeat_after_me_lack_of__outpu.html

-- 
Michael Peters
Developer
Plus Three, LP


#####  CGI::Application community mailing list  ################
##                                                            ##
##  To unsubscribe, or change your message delivery options,  ##
##  visit:  http://www.erlbaum.net/mailman/listinfo/cgiapp    ##
##                                                            ##
##  Web archive:   http://www.erlbaum.net/pipermail/cgiapp/   ##
##  Wiki:          http://cgiapp.erlbaum.net/                 ##
##                                                            ##
################################################################

Reply via email to