Doug MacEachern wrote: > > i had a bad feeling about this. we should not be implementing escape_html > to begin with, the functionality should all be in apache. i'm going to > back out the patch.
sounds wise, especially considering people like Eric will end up with larger pages as a result, while the patch fixes a rather obscure vunerability, for which other solutions (HTML::Entities) are available. > anybody care to make a doc patch to explain the > problems with escape_html before the patch went in? I nominate robin, since I forget how it came up in the first place :) IIRC is was due to this post http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-03/msg00750.html and specifically an exploit involving browsers incorrectly assuming 0x8b as a "<" and 0x9b as a ">", thus creating a way around escape_html(). Robin, does that accurately summarize it? it's been far too long for me :) --Geoff
