In this particular case, they do not, but you are correct, it should filter / encode those values. As I said in the mail, it hasn't been reviewed that heavily yet. It probably leaks like a sieve too :-)
Andy 'Dru' Satori On Apr 9, 2010, at 12:59 PM, Jens Alfke <j...@mooseyard.com> wrote: > > On Apr 9, 2010, at 8:52 AM, Dru Satori wrote: > >> [soapRequestXml appendFormat:@"\t\t\t<%@>%@</%@>\n", paramName, paramValue, >> paramName]; > > Minor note: I hope none of your parameter values contain any XML > metacharacters like quotes or angle-brackets, or you’re going to at minimum > generate invalid XML, and at worst (if the values might come from an > untrusted source) open yourself up to XML injection attacks. > > —Jens _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
