> Yes and no. XSS attacks are possible on old browsers, when the charset is not > set (something which is often the case with modperl apps) and when the > HTML-escaping bit does not match what certain browsers accept as markup.
Of course I set the charset, but I didn't know that might not be enough. Does anyone know if Apache::Util::escape_html() and HTML::Entities::encode() are safe? - Perrin