esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ethan Jewett <esjew...@gmail.com>
Subject Re: escape and unescape message
Date Fri, 16 Oct 2009 15:13:03 GMT
I think this is the same as Jira issue 113 that I created yesterday.
(https://issues.apache.org/jira/browse/ESME-113).

Escaping is the right thing to do on the server side, I think, but why
aren't these HTML entity codes getting displayed as the correct
characters by the browser?

Ethan

On Thu, Oct 15, 2009 at 10:08 PM, David Pollak
<feeder.of.the.bears@gmail.com> wrote:
> On Thu, Oct 15, 2009 at 6:51 PM, Xuefeng Wu <benewu@gmail.com> wrote:
>
>> Hi,
>>
>> I try to input message like this:
>>
>> Testing <script>alert('test')</script>
>> Show:
>> Testing &lt;script&gt;alert&lt;/script&gt;
>>
>
> Oooo.... that's a can of worms.  Knowing which things are escaped and which
> are not is tricky and potentially a huge security risk.
>
> I would encourage escaping all Strings unless they are clearly marked as "do
> not escape"
>
>
>>
>>
>> I think the message should be unescape before display.
>>
>> --
>> Scala中文社区:  http://groups.google.com/group/scalacn
>>
>
>
>
> --
> Lift, the simply functional web framework http://liftweb.net
> Beginning Scala http://www.apress.com/book/view/1430219890
> Follow me: http://twitter.com/dpp
> Surf the harmonics
>

Mime
View raw message