> however it comes about is fine, I guess. however, if Apache::Util in 1.3 is left > un-patched then we're kinda giving a false impression that calling > Apache::Util::escape_html() is sufficient to thwart CSS attacks when it really only >keeps > all but the most clever away.
I guess we should document this first of all, till it gets fixed. So there will be no surprises. >>So what spec are you working with? >> > > robin and I were reading > > http://www.cl.cam.ac.uk/~mgk25/unicode.html > > but there may be others. thanks! >>Can we just reap the functionality from some Perl core module in >>bleadperl that does it right? >> > > well, the problem that robin and I were contemplating is that Apache::Util is >supposed to > be fast because it uses XS. if we went to a pure perl implementation we would loose >the > speed and duplicate something like HTML::Entities (although it would be easier to >solve > the problem). > > that said, perhaps there is C code in utf8.c (or wherever) that we can steal to make >life > easier. we probably need to get someone involved who understands the issues better >than I > do :) Well I suggested to reap from bleadperl, which is mostly written in C :) But having a nicely implemented code in Perl is a good start. It's much easier to rewrite in C than starting from scratch. _____________________________________________________________________ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://ticketmaster.com http://apacheweek.com http://singlesheaven.com http://perl.apache.org http://perlmonth.com/