You can pass whatever you want. Everything is escaped by us. Tilman
-- Original-Nachricht -- Von: [email protected] Betreff: Escaping or filtering for showText Datum: 16.11.2024, 19:11 Uhr An: [email protected] Hi, Of course we have to watch out when user generated input - is included in an HTML/XML document (escape <, >, ...) or - if someone would manually concat SQL queries (don't do that) to avoid XSS attacks and SQL injections. What filtering or escaping do we have to consider for contentStream.showText( ... )? Could attackers bring in JavaScripts, evil active content, attachments, ... into the PDF document, if they could control the String parameter of showText? If that is the case, what filtering or escaping has one to do before passing a String to showText? Is there a ready-to-use function? Or something like a "PreparedStatement" for text to be written? ( contentStream.showText( "User ? likes ?.", evilUserInput, iceCreamChoice ) ) Yours, Reg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
