not true. no browser interprets a single "<" as a tag unless it has a valid tag name (and company) and closing ">" directly after it. only the most rudimentary implementations would blindly strip "<"s without looking at their context.
(and they would be wrong anyway - consider <input value="<">) > Derek Hoy wrote: >> On 6/20/06, SmileyChris <[EMAIL PROTECTED]> wrote: >>> But it is an escaping issue. >> >> Isn't the most common use case for this the problem of people entering >> bad stuff into a form? In which case, regarding it as a validation >> issue seems good to me. > > This is the perl-taint-approach. But it isn't very user friendly. > It means that you forbid to use e.g. "<" in text fields, just > because you might somewhere have forgotten to escape your data. > > Michael > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
