note
andreas1234567
<blockquote>
what do <i>you</i> do to prevent XSS reliably?
</blockquote>
<ul>
<li>Sanitize user input using a <a href="http://www.owasp.org/index.php/Data_Validation">accept known good only</a> approach (link to owasp.com). I find [mod://Embperl::Form::Validate] very useful, although there are many others as well.
<li>Flip [mod://HTML::Mason]'s <c>default_escape_flags</c> so that if someone enters: <c>
<script>load_malicious_javascript_from_hacker_site;</script>
</c>
into a text field in your blog, it is displayed verbatim rather than turned into executable code.
</ul>
The <a href="http://www.owasp.org/index.php/Category:OWASP_Guide_Project">OWASP Guide to Building Secure Web Applications</a> version 3 draft is out. Is is certainly an interesting read for those concerned about web application security.
<!-- Node text goes above. Div tags should contain sig only -->
<div class="pmsig"><div class="pmsig-321512">
<small>
--<br>
When you earnestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. <a href="http://www.despair.com/viewall.html">[1]</a>
</small>
</div></div>
680582
680753