Grahame Grieve wrote: > > We are having a bit of a quandary about a security > related issue. We have a standard web application > that allows users to enter information, which is then > redisplayed, possibly to other users. > > We wish to stop users putting scripts into the > text they enter (a security issue receiving press > at the moment, which prompted us to revive this issue) > > It seemed to us the best way to stop this was to > convert any "<" to < as we stored it in our > database. However this gives a problem when putting > the text entered back into the text box, as we > cant tell the difference between s showing > "text < text" for what was originally "text < text" > and the user actualy typing "text <text" > > There's several variations that arise with this problem. > For performance reasons we'd rather store the text > "html-safe" and back convert it when putting it into > a text box. > > Does any one have a good way of handling this problem? Why not also convert '&' characyters entered by the user into '&' entities, then when it is reconverted, a '<' will be a '<' and a '<' will be '<' > > GrahameReceived on Friday, 11 February 2000 03:39:17 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:24 GMT