- From: Grahame Grieve <grahame@kestral.com.au>
- Date: Fri, 11 Feb 2000 12:24:56 +1100
- To: www-talk@w3c.org
- Cc: jeffs@kestral.com.au
We are having a bit of a quandary about a security related issue. We have a standard web application that allows users to enter information, which is then redisplayed, possibly to other users. We wish to stop users putting scripts into the text they enter (a security issue receiving press at the moment, which prompted us to revive this issue) It seemed to us the best way to stop this was to convert any "<" to < as we stored it in our database. However this gives a problem when putting the text entered back into the text box, as we cant tell the difference between s showing "text < text" for what was originally "text < text" and the user actualy typing "text <text" There's several variations that arise with this problem. For performance reasons we'd rather store the text "html-safe" and back convert it when putting it into a text box. Does any one have a good way of handling this problem? Grahame
Received on Thursday, 10 February 2000 20:33:27 UTC