In Stas' Apache::VMonitor announcement, he mentions changes to prevent cross site scripting.Changes since 0.7 * prevent cross-site scripting, now HTML-escaping the request field
This is a concern for me at the moment, because I'm building a site which will allow people to submit copy (to be displayed to other users) and I would like them to be able to use HTML and include links to other sites (much like slashdot).
Do any of you have any ideas about good techniques to prevent CSS (and I don't mean those <div> elements) in this scenario?
I've read the articles on cert.org (http://www.cert.org/tech_tips/malicious_code_mitigation.html) and apache.org (http://httpd.apache.org/info/css-security/encoding_examples.html)
thanks
Clinton Gormley
