Just a quick public service announcement:
Be safe.
Always:
- Be mindful of encoding mismatches. If you're
stuffing your frozen hash into an HTML/XML attribute value (and it
looks like you are), what you are stuffing must conform to SGML/XML
CDATA encoding requirements. Is the character encoding that
FreezeThaw returns guaranteed to satisfy those requirements? If not,
it's your responsibility to encode the frozen data before stuffing it
into the attribute value. And on the reverse trip "out" of the value,
you must decode it before thawing.
- Be paranoid about data from the client. What you
get back from the HTTP POST may not be what you placed into
your form's hidden field. The data you receive may not be
what you were expecting. An attacker may have crafted a value
designed to cause you grief.
If you want to be safe, sign or encrypt your data on the way out and verify
the signature on the way in. Use a key that is only known to your server.
Let's be careful out there.
Cheers,
Tom