Wouldn't a simple solution to that be to filter for URLs and have thealias declaration fail upon finding any? Similarly, any XML/HTML markup?E.g., if the alias string contains "<", ">", "&" or "://" we kill it.
Nope. Only whitelisting works (that is, approve only [A-Za-z0-9_.] or something like that (well, the internationalized version with \ {p}). And not necessarily even then - there are SQL injection attacks which need no quote escapes.
/Janne
