On Thu, 20 Mar 2003, Greg Fenton wrote:
>
> --- Bill Moseley <moseley@hank.org> wrote:
> > On Thu, 20 Mar 2003, McKenzie, Chuck wrote:
> >
> > Fork and exec and then you don't have to worry about what characters
> > are entered [...]
>
> How does this stop a cross-site scripting bug?
You mean how do you prevent someone from entering HTML that ends up being
displayed? Escape HTML.
In the example the other day I posted had this for displaying the query:
Found [% swish.hits %] hits for <b>[% query | html %]</b>
That's using Template-Toolkit's "html" filter.
Or do you mean something else?
--
Bill Moseley moseley@hank.org
Received on Mon Mar 24 18:25:47 2003