Bug in URI ?!
Dominic Mitchell
dom at happygiraffe.net
Wed Aug 16 12:58:36 BST 2006
On Wed, Aug 16, 2006 at 09:57:11AM +0100, Aaron Trevena wrote:
> On 16/08/06, Jonathan Stowe <jns at gellyfish.com> wrote:
> >On Wed, 2006-08-16 at 08:44, Dominic Mitchell wrote:
> >> templating systems did HTML escaping by default
> >
> >... and consequently destroying the carefully crafted Postscript, RTF,
> >LaTeX or whatever else one might be trying to output.
Then turn the default the other way. I'm willing to bet that these are
fairly minority uses compared to web templating.
> Exactly - what's wrong with [% value | html %] ?
>
> Works for me
It works, but you're an expert web programmer with years of experience.
You know to put it there.
And I bet that were I to look at some of your source code to a web site,
you'll have missed at least one. And that's quite likely to be a cross
site scripting security hole waiting to happen.
Why are you opposed to making the tools work according to spec?
-Dom
More information about the london.pm
mailing list