[Catalyst] Re: {OT] protecting against attacks with multilingual
input
A. Pagaltzis
pagaltzis at gmx.de
Wed Dec 6 08:38:30 GMT 2006
* Christopher H. Laco <claco at chrislaco.com> [2006-12-06 00:15]:
> A. Pagaltzis wrote:
> > * Jonathan Rockway <jon at jrock.us> [2006-12-05 22:10]:
> >> You need to escape &, <, >, ", and '.
> >
> > s[([<>&"'])]{ '&#' . ord( $1 ) . ';' }ge;
> >
> > Regards,
>
> Right. But don't do that (roll your own). Use the HTML plugin.
> Don't reinvent the wheel when displaying the content in TT.
Yes, when in Template Toolkit, do as the Template Toolkitters do.
But when you’re not, it’s trivial to roll your own.
> As for inserting into the db, if you're going to allow things
> like > and < in data, don't html encode them on the way into
> the db. HTML-encode them when you need to display them in HTML.
++
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
More information about the Catalyst
mailing list