Clinton Gormley wrote: > If the input that you are wanting to display is (eg) a surname, > then certainly, escaping will serve your purposes. However, if > you are wanting your user to be able to input HTML and then > view it as HTML, escaping isn't sufficient. The combination is > required.
That XSS is fundamentally an escaping problem does not mean escaping is a substitute for filtering, nor vice versa. (Filter input; escape output.) I wasn't suggesting otherwise. Escaping preserves data. If you want HTML to be interpreted, then it's markup, not data that you want to preserve. As I said, the approach you described for HTML::StripScripts::Parser sounds pretty good for this, but any technique that tries to solve XSS with filtering alone is error-prone, because it doesn't address the root cause of the problem. This can't be avoided in some cases, but that doesn't make it a "yes and no" issue. Hope that helps. Chris -- Chris Shiflett http://shiflett.org/
