The data in our database is shared by other apps, so its integrity is most important and requires extensive validation... therefore I would have to take a more defensive approach and filter out unwanted markup upfront.
----- Original Message ----- From: "9902468" <[EMAIL PROTECTED]> To: users@tapestry.apache.org Sent: Friday, 23 May, 2008 3:40:20 PM GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Re: Tapestry 5 validation for cross site scripting Hi, we have always done it so that user can input anything they like, but when the page renders some marks like < and > are encoded to html entities. This way the data is in the database exactly like the user intended, and browser etc. is safe because dangerous characters are encoded. If you encode the data that goes to database then other systems might fail that use your data. (For an example < encoded has no meaning to some systems... All this is much harder when user is actually allowed to enter markup directly to page using, lets say Editor component (that uses fckeditor and is missing proper connector...), and that must be displayed correctly. Then the detection of dangerous markup is little more difficult but javascript should be encoded in this situation entirely. - 99 Ps. feel free to elaborate and comment that approach Peter Stavrinides wrote: > > Hi All > > Can anyone offer suggestions on best practice for handling validation > specifically for preventing cross site scripting and code injection etc in > Tapestry applications. Is there anything built into the framework I could > use... if not what is the best way to plug something of my own in. What I > mean is should I write my own validator/s and use them in every form > component?, or is there a more elegant way I should know about, say a > filter or something? Does anyone use a 3rd party library written > specifically for this? > > Thanks > Peter > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Tapestry-5-validation-for-cross-site-scripting-tp17423136p17424712.html Sent from the Tapestry - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
