On Tue, 11 Mar 2003, Clinton Gormley wrote: > On Tue, 2003-03-11 at 06:03, Stas Bekman wrote: > > > Changes since 0.7 > > > > * prevent cross-site scripting, now HTML-escaping the request field > > > > In Stas' Apache::VMonitor announcement, he mentions changes to prevent > cross site scripting. > > This is a concern for me at the moment, because I'm building a site > which will allow people to submit copy (to be displayed to other users) > and I would like them to be able to use HTML and include links to other > sites (much like slashdot). > > Do any of you have any ideas about good techniques to prevent CSS (and I > don't mean those <div> elements) in this scenario?
I hate to blatantly advertise, but using AxKit mostly mitigates XSS (don't use the term CSS to mean cross site scripting - its confusing) bugs, with the exception of javascript in URLs and blank lines inserted into headers from a user submission. So you vastly limit the things you have to check for. -- <!-- Matt --> <:->get a SMart net</:-> Spam trap - do not mail: [EMAIL PROTECTED]