On Thu, 20 Mar 2003, Greg Fenton wrote:
> --- Bill Moseley <email@example.com> wrote:
> > On Thu, 20 Mar 2003, McKenzie, Chuck wrote:
> > Fork and exec and then you don't have to worry about what characters
> > are entered [...]
> How does this stop a cross-site scripting bug?
You mean how do you prevent someone from entering HTML that ends up being
displayed? Escape HTML.
In the example the other day I posted had this for displaying the query:
Found [% swish.hits %] hits for <b>[% query | html %]</b>
That's using Template-Toolkit's "html" filter.
Or do you mean something else?
Bill Moseley firstname.lastname@example.org
Received on Mon Mar 24 18:25:47 2003