[Catalyst] {OT] protecting against attacks with multilingual input
Nilson Santos Figueiredo Junior
acid06 at gmail.com
Tue Dec 5 21:21:17 GMT 2006
On 12/5/06, Jonathan Rockway <jon at jrock.us> wrote:
> Nilson Santos Figueiredo Junior wrote:
> > This way, everything will probably just work, even when the user has a
> > "<" on their names or any other weird characters.
>
> No, you can inject plenty of bad code without <. You need to escape &,
> <, >, ", and '.
Quoting myself:
"...everything will probably just work, even when the user has a "<"
on their names *or any other weird characters*."
Specifically you could use TT's already existing "html" filter. Or
even write your own.
-Nilson Santos F. Jr.
More information about the Catalyst
mailing list