On Fri, Oct 19, 2001 at 09:22:00AM -0500, Gilles Detillieux wrote: > I have to disagree with you on this point. Whether the default syntax > is insecure or not depends totally on the context in which the template > variable is used, and how that template variable is generated.
No, it doesn't depend on the context. The default syntax passes client supplied data unchanged and untested to the result page. This is something that should never happen, under no circumstance. Things like STARSLEFT are totally different, they do not use client supplied information and so are not vulnerable to cross site scripting attacs. WORDS is. Yours, Florian. _______________________________________________ htdig-dev mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/htdig-dev
