incubator-esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Pollak <feeder.of.the.be...@gmail.com>
Subject Re: escape and unescape message
Date Fri, 16 Oct 2009 03:08:30 GMT
On Thu, Oct 15, 2009 at 6:51 PM, Xuefeng Wu <benewu@gmail.com> wrote:

> Hi,
>
> I try to input message like this:
>
> Testing <script>alert('test')</script>
> Show:
> Testing &lt;script&gt;alert&lt;/script&gt;
>

Oooo.... that's a can of worms.  Knowing which things are escaped and which
are not is tricky and potentially a huge security risk.

I would encourage escaping all Strings unless they are clearly marked as "do
not escape"


>
>
> I think the message should be unescape before display.
>
> --
> Scala中文社区:  http://groups.google.com/group/scalacn
>



-- 
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Surf the harmonics

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message