> > > Thanks. This works. I do have access control for who can read the
> > > reports.
> > Access control does not prevent cross-site scripting :(
> I suppose I don't really understand what cross-site scripting means.
> The change to isurlchar() is ony to webalizer, nothing is changed on
> the Apache server side.
> You mentioned something about someone sending bogus query string to
> make to the top 20. let us further assume someone else get to see
> the report Webalizer makes. He sees that the URL with the bogus
> query string. What then?
See this CERT advisory: http://www.cert.org/advisories/CA-2000-02.html
Bradford L. Barrett brad@...
A free electron in a sea of neutrons DoD#1750 KD4NAW
The only thing Micro$oft has done for society, is make people
believe that computers are inherently unreliable.