[Catalyst] Re: {OT] protecting against attacks with multilingual
input
Christopher H. Laco
claco at chrislaco.com
Tue Dec 5 23:08:39 GMT 2006
A. Pagaltzis wrote:
> * Jonathan Rockway <jon at jrock.us> [2006-12-05 22:10]:
>> You need to escape &, <, >, ", and '.
> =
> s[([<>&"'])]{ '&#' . ord( $1 ) . ';' }ge;
> =
> Regards,
Right. But don't do that (roll your own). Use the HTML plugin. Don't
reinvent the wheel when displaying the content in TT.
As for inserting into the db, if you're going to allow things like > and
< in data, don't html encode them on the way into the db. HTML-encode
them when you need to display them in HTML.
-=3DChris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20061205/d02b=
aeaf/signature.pgp
More information about the Catalyst
mailing list