Getting protected against XSS is not so much a matter of sanitizing the arguments, it's more a matter of escaping things the right way.
Fortunately, with mason, there's a way to escape every expression with a default escaping (I guess HTML in your case). If you're using Mason1, google for default_escape_flags Or look there: http://www.masonbook.com/book/chapter-6.mhtml Set it to 'h' and bang, everything gets escaped to html. Of course it means you'll probably have to fix things there and there if you're using mason for something else than HTML (generating Javascript maybe - I know it's very wrong :P ). On the subject of 'Internal application -> don't care about XSS', there are plenty of good reasons why no-one should be thinking like that, specially when default ok protection is just one small setting away. Cheers, J. On 13 March 2014 17:09, Shane McCarron <halindr...@gmail.com> wrote: > Okay, this is probably a stupid question. I have been using Mason (1) > forever. I have a number of applications deployed using it. I have never > really worried about XSS attacks or input cleaning, but one of my customers > reminded me today that because of this it could be relatively easy for > people to, for example, inject scripts into a page. > > Normally I don't care. These applications are not exposed to the outside > world. But is there a nice, simple way that people are sanitizing their > Mason arguments on the way in to reduce the risk of this sort of thing? > > -- > Shane McCarron > halindr...@gmail.com > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Mason-users mailing list > Mason-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mason-users > -- Jerome Eteve +44(0)7738864546 http://www.eteve.net/ ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
