perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clinton Gormley <>
Subject Re: Fwd: XSS evasion
Date Mon, 09 Oct 2006 15:23:22 GMT

> This sounds like a good approach, but it's worth noting that XSS is
> fundamentally an escaping problem, not a filtering one. Nitesh Dhanjani
> discusses this a bit here:

Yes and no.  From the article:
Therefore, I frequently come across situations where developers fix XSS
problems by attempting to filter out meta-characters (<, >, /, “, ‘,
etc). At times, if an exhaustive list of meta-characters is used, it
does solve the problem, but it makes the application less friendly to
the end user – a large set of characters are deemed forbidden.

If the input that you are wanting to display is (eg) a surname, then
certainly, escaping will serve your purposes.  However, if you are
wanting your user to be able to input HTML and then view it as HTML,
escaping isn't sufficient.  The combination is required.


Clinton Gormley - For travellers, By travellers

View raw message