W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2000

Re: HTML Security Issue

From: Jeff Sinclair <jeffs@kestral.com.au>
Date: Wed, 16 Feb 2000 09:35:48
Message-Id: <>
To: www-talk@w3c.org

the Problem is that the edit box does it's own conversion.
When a user put's  "  &lt;  "  into an edit box, if you just 
put it back the same into the edit box it will show as  "  <  ",
so you encode it as "  &amp;lt;   " and then it show's as 
"  &lt;  "  exactly as the user typed it, fine.

When the user now submits the form again it, if you get
  " &amp;lt; "  you can not tell if the user 
did nothing or if the user manually changed it to " &amp;lt; "
in the first case you don't want to reconvert it in the second 
you do.

   <input type="text" size=60 maxlength=60 name="title" value=" &lt; ">

shows as  "<";

Edit Boxes should not do any coversion and just show what 
is in the string. 

Jeff Sinclair

At 10:53 11/02/2000 -0500, you wrote:
>On Fri, 11 Feb 2000, Jeff Sinclair wrote:
>> Hi Edward,
>> Nice Idea but what if the user put's in "&amp" 
>> you can't tell the difference between that and what came 
>> out of the database. So if you convert it when going into the
>> database you get "&amp;amp" and then "&amp;amp;amp" etc 
>Um, isn't the the behaviour you want?  Just keep tabs on whether it is
>encoded or not.  It's kinda like dealing with URIs.
>Russell O'Connor                           roconnor@uwaterloo.ca
>       <http://www.undergrad.math.uwaterloo.ca/~roconnor/>
>``Paradoxically, a refusal to `put a monetary value on life' means that
>life is often undervalued.'' -- Artificial Intelligence: A Modern Approach
Received on Tuesday, 15 February 2000 20:30:16 UTC

This archive was generated by hypermail 2.4.0 : Monday, 20 January 2020 16:08:24 UTC