Loading ...
Sorry, an error occurred while loading the content.

Re: HTML Security Issue

Expand Messages
  • Russell Steven Shawn O'Connor
    ... Um, isn t the the behaviour you want? Just keep tabs on whether it is encoded or not. It s kinda like dealing with URIs. -- Russell O Connor
    Message 1 of 5 , Feb 11, 2000
    View Source
    • 0 Attachment
      On Fri, 11 Feb 2000, Jeff Sinclair wrote:

      > Hi Edward,
      >
      > Nice Idea but what if the user put's in "&"
      > you can't tell the difference between that and what came
      > out of the database. So if you convert it when going into the
      > database you get "&amp" and then "&amp" etc

      Um, isn't the the behaviour you want? Just keep tabs on whether it is
      encoded or not. It's kinda like dealing with URIs.

      --
      Russell O'Connor roconnor@...
      <http://www.undergrad.math.uwaterloo.ca/~roconnor/>
      ``Paradoxically, a refusal to `put a monetary value on life' means that
      life is often undervalued.'' -- Artificial Intelligence: A Modern Approach
    • Jeff Sinclair
      Hi, the Problem is that the edit box does it s own conversion. When a user put s < into an edit box, if you just put it back the same into the edit
      Message 2 of 5 , Feb 16, 2000
      View Source
      • 0 Attachment
        Hi,

        the Problem is that the edit box does it's own conversion.
        When a user put's " < " into an edit box, if you just
        put it back the same into the edit box it will show as " < ",
        so you encode it as " &lt; " and then it show's as
        " < " exactly as the user typed it, fine.

        When the user now submits the form again it, if you get
        " &lt; " you can not tell if the user
        did nothing or if the user manually changed it to " &lt; "
        in the first case you don't want to reconvert it in the second
        you do.

        example
        <input type="text" size=60 maxlength=60 name="title" value=" < ">

        shows as "<";

        Edit Boxes should not do any coversion and just show what
        is in the string.

        Jeff Sinclair


        At 10:53 11/02/2000 -0500, you wrote:
        >On Fri, 11 Feb 2000, Jeff Sinclair wrote:
        >
        >> Hi Edward,
        >>
        >> Nice Idea but what if the user put's in "&"
        >> you can't tell the difference between that and what came
        >> out of the database. So if you convert it when going into the
        >> database you get "&amp" and then "&amp;amp" etc
        >
        >Um, isn't the the behaviour you want? Just keep tabs on whether it is
        >encoded or not. It's kinda like dealing with URIs.
        >
        >--
        >Russell O'Connor roconnor@...
        > <http://www.undergrad.math.uwaterloo.ca/~roconnor/>
        >``Paradoxically, a refusal to `put a monetary value on life' means that
        >life is often undervalued.'' -- Artificial Intelligence: A Modern Approach
        >
        >
        >
      Your message has been successfully submitted and would be delivered to recipients shortly.