-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter,
Peter Stavrinides wrote: | Unfortunately, you did not understand or have missed the point... its | not about forgoing coded checks, the key point here is to manage data | security in a more efficient way. If you say so. Where you see efficiency, I see danger. |> Really? I wasn't aware that converting '<' to < was that much of a |> bottleneck. | | You naively assume the vendors point of view here, encoding output is | not always sufficient! True, but I usually choose appropriateness over performance. If you stick HTML-encoded data into your database and you are not going to be emitting HTML, then the encoding is entirely incorrect. When is the last time you received an email message for "Peter & Paula Stavrinides"? It's not always appropriate to HTML-encode data, so you should only encode it when you are generating HTML. |>> data is now more complex |> |> Is it? The same attack vectors exist today than did several years ago, |> and the mitigations for those vectors are still the same. | | Are you kidding? If you cannot see this then there is little point to | this discussion and so many projects out there are simply a waste of time! Feel free to flip the bozo bit on me. Having built many web-based systems that perform well and work properly, I feel comfortable with my assertions and my advice. You can take it or leave it. I won't lose any sleep. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkg+xdoACgkQ9CaO5/Lv0PAtagCbBhh0BGAeFjx6T/f2N7kXso02 LuYAmwZNJHlV3nywF2Nm0IlmzcpNC/wz =5kE+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
