o > From: Michael Peters > Sent: Saturday, 9 February 2008 4:28 a.m. > To: CGI Application > Subject: Re: [cgiapp] Persistence > > > > Ron Savage wrote: > > On Wed, 2008-02-06 at 17:16 -0500, Michael Peters wrote: > > > > Hi Michael > > > >> This is why escaping any data that could potentially come from a user > is so > >> important. > > > > Not just escaping. OP should be warned that server code cannot just rely > > on Javascript-base validation. Someone might disable Javascript and > > sumbit something nasty. That means the validation should be duplicated > > on the server too. And yes, that's a PITA. > > Very true. In fact, I almost never do Javascript validation because of > this. Why > duplicate my effort? But, it's important to remember that unless you're > allowing > your users to submit HTML or JS code, validation is not what prevents XSS. > It's > output encoding: > > http://www.oreillynet.com/onlamp/blog/2005/10/repeat_after_me_lack_of__out > pu.html >
Output encoding is definitely the safest, but I still need users to submit certain HTML tags, but not others, and I find Data::FormValidator::Filters::HTMLScrubber does the trick ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################