- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 26 Aug 2010 16:25:46 -0400
On 8/26/10 4:10 PM, Aryeh Gregor wrote: > On Thu, Aug 26, 2010 at 5:58 AM, Julian Reschke<julian.reschke at gmx.de> wrote: >> Not convinced. There's already one way to escape these things, and this is >> supported in all UAs. > > Adam gave two examples of cases where htmlspecialchars() is > insufficient, even if authors do use it. This proposal is completely > general and will work anywhere, even in<script>. Sorta. It'll let you put the data in <script>, but it won't verify that the data doesn't change the meaning of the script, obviously, or inject script of its own to run. > Is automated general escaping even possible right now in<script> for text/html? Defined how? -Boris
Received on Thursday, 26 August 2010 13:25:46 UTC