Loading ...
Sorry, an error occurred while loading the content.

3054Re: [Cheetahtemplate-discuss] PTL/Cheetah article

Expand Messages
  • Shannon -jj Behrens
    Aug 3, 2005
    • 0 Attachment

      You bring up a good point about auto escaping. I read about session
      injection attacks <http://www.acros.si/papers/session_fixation.pdf>,
      and a single XSS vulnerability anywhere within some
      subdomain.example.com makes it possible to hijack sessions for
      anyothersubdomain.example.com. It's probably better if we start
      erring on the side of overcaution when it comes to HTML escaping

      Hence, I think that perhaps:

      - a NameMapper filter should automatically escape things as you laid
      out in your article
      - each Cheetah method should return an htmltext instance so that its
      content doesn't get re-escaped

      Best Regards,

      On 8/3/05, mso@... <mso@...> wrote:
      > Here's an article I wrote about PTL and Cheetah.
      > http://linuxgazette.net/117/orr.html

      I have decided to switch to Gmail, but messages to my Yahoo account will
      still get through.

      SF.Net email is Sponsored by the Better Software Conference & EXPO
      September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
      Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
      Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
      Cheetahtemplate-discuss mailing list
    • Show all 3 messages in this topic