- From: Edward Thomas <mcai7et2@stud.umist.ac.uk>
- Date: Fri, 11 Feb 2000 08:41:22 +0000
- To: Grahame Grieve <grahame@kestral.com.au>, "www-talk@w3c.org" <www-talk@w3c.org>
Grahame Grieve wrote: > > We are having a bit of a quandary about a security > related issue. We have a standard web application > that allows users to enter information, which is then > redisplayed, possibly to other users. > > We wish to stop users putting scripts into the > text they enter (a security issue receiving press > at the moment, which prompted us to revive this issue) > > It seemed to us the best way to stop this was to > convert any "<" to < as we stored it in our > database. However this gives a problem when putting > the text entered back into the text box, as we > cant tell the difference between s showing > "text < text" for what was originally "text < text" > and the user actualy typing "text <text" > > There's several variations that arise with this problem. > For performance reasons we'd rather store the text > "html-safe" and back convert it when putting it into > a text box. > > Does any one have a good way of handling this problem? Why not also convert '&' characyters entered by the user into '&' entities, then when it is reconverted, a '<' will be a '<' and a '<' will be '<' > > Grahame
Received on Friday, 11 February 2000 03:39:17 UTC