Re: Escape html

Edgar Poce Sun, 19 Dec 2004 14:24:41 -0800

> Are there any other characters that should be filtered for security
> reasons?

I think there are not. I thought it was a html escape tool and I expected it replaced 'à' with "&agrave" for example. But I see it's not the purpose.

Has it any sense to add an "escape" attribute with values "html", "javascript", ...?

Thanks for your quick response
Edgar

Craig McClanahan wrote:

The purpose for filtering these four characters is to avoid cross site
scripting attacks that would otherwise be possible if an application
accepted an input text field that had something like a <script>
element in it, and then wrote that text to an HTML output stream with
no modifications.

Are there any other characters that should be filtered for security
reasons?  If not, what's the use case for converting anything else to
its &xxx; equivalent?  Which, among other things, can cause you some
grief if you're trying to do XML validation of the resulting output.

Craig


On Sun, 19 Dec 2004 18:51:32 -0300, Edgar Poce <[EMAIL PROTECTED]> wrote:

Hi
TagUtils.filter(String value) only filters 4 html sensitive characters
while there are many more. Is there any special reason or it's a bug?

Regards
Edgar

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Escape html

Reply via email to