well, but sometimes you want them to be able to enter HTML. style items, simple links, etc...
[EMAIL PROTECTED] wrote: > Yes it is much safer to reject rather than sanitize. If bad tags are > detected then reject the input out of hand. If you don't your > sanitizer could be turned against you and end up changing slightly > dangerous tags into really dangerous tags. What happens here > <scr<script>ipt> when a sanitizer is set to remove all of the script > tags? If the user made a genuine mistake then let them fix it. > Otherwise it is a hack attempt and not worth your trouble. > > On Jul 13, 8:08 am, Horst Gutmann <[EMAIL PROTECTED]> wrote: >> The problem with whatever system you use, is the huge amount of ways to >> inject XSS attacks into HTML thanks to problems in the various browser >> engines. A few weeks I found a nice listing (nice looooong listing) but >> can't remember the URL anymore :-/ >> >> .. _BeautifulSoup:http://www.crummy.com/software/BeautifulSoup/ > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
