The purpose for filtering these four characters is to avoid cross site
scripting attacks that would otherwise be possible if an application
accepted an input text field that had something like a <script>
element in it, and then wrote that text to an HTML output stream with
no modifications.

Are there any other characters that should be filtered for security
reasons?  If not, what's the use case for converting anything else to
its &xxx; equivalent?  Which, among other things, can cause you some
grief if you're trying to do XML validation of the resulting output.

Craig


On Sun, 19 Dec 2004 18:51:32 -0300, Edgar Poce <[EMAIL PROTECTED]> wrote:
> Hi
> TagUtils.filter(String value) only filters 4 html sensitive characters
> while there are many more. Is there any special reason or it's a bug?
> 
> Regards
> Edgar
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to