On Jun 2, 2011 1:40 AM, "Shlomi Fish" <shlo...@iglu.org.il> wrote:
>
> On Thursday 02 Jun 2011 01:23:23 rodeored wrote:
> > This code produces the following 3 lines:
> > foreach $twords(@topTypes)
> > {
> > $output.="<p>".commify_series(@$twords)."</p>";
> > }
> >
>
> I should note that there's a risk of HTML-injection / Cross-site-scripting
> (XSS) attack here:
>
> http://en.wikipedia.org/wiki/Cross-site_scripting
>
You don't mean that if @twords contained something like:
"<div src=javascript.do_something>"
could be a bad thing? :)
All joking aside, this is one of many reasons I use tt on the back end and
esapi on the front end. I probably don't test as much as I should and might
get got. But it is good practice to find apis that were built with security
in mind and use them.
... and for my next trick, I will redo RSA's ECC PKI in 100% perl :)
