Hi Chris, On Monday 12 May 2008 14:28, Chris Lamb wrote: > I have attached a patch that fixes some cross-site scripting vulnerabilites > in http://qa.debian.org/madison.php.
Good work. Since the page is in UTF-8, it's better to use htmlspecialchars() than htmlentities(), because the latter tends to cause trouble with multibyte chars and there's no need to encode more entities than htmlspecialchars does if the charset is UTF-8. I also don't think these are really "vulnerabilities" since there's no sensitive data to steal through this cross site scripting, as far as I know. But of course, still, output should be properly encoded. cheers, Thijs
pgpnrpAExOlfC.pgp
Description: PGP signature
