Re: escape and unescape message

David Pollak Thu, 15 Oct 2009 20:08:57 -0700

On Thu, Oct 15, 2009 at 6:51 PM, Xuefeng Wu <[email protected]> wrote:


> Hi,
>
> I try to input message like this:
>
> Testing <script>alert('test')</script>
> Show:
> Testing &lt;script&gt;alert&lt;/script&gt;
>

Oooo.... that's a can of worms.  Knowing which things are escaped and which
are not is tricky and potentially a huge security risk.

I would encourage escaping all Strings unless they are clearly marked as "do
not escape"


>
>
> I think the message should be unescape before display.
>
> --
> Scala中文社区:  http://groups.google.com/group/scalacn
>



-- 
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Surf the harmonics

Re: escape and unescape message

Reply via email to