in reply to Re: Back to acceptable untainted characters
in thread Back to acceptable untainted characters

3. In all cases, RegExp/escape any HTML from users so the code would never render in a browser
...unless you want some HTML to render, as you might in e.g. a user "biography" field. In that case, you'll probably want to do some trickery with an HTML parser module to allow a few tags and attributes and strip out the rest.

Once again, though, note the use of "allow". Decide what's permissible and take out everything else. Better safe than sorry.

=cut
--Brent Dax
There is no sig.

  • Comment on Re: Re: Back to acceptable untainted characters

Replies are listed 'Best First'.
Re: Re: Re: Back to acceptable untainted characters
by bradcathey (Prior) on Sep 08, 2003 at 12:29 UTC
    Thanks BrentDax. That was a helpful word.

[reply]

In Section Seekers of Perl Wisdom