PHP - security etc

Dominic Mitchell dom at
Thu Mar 8 14:29:37 GMT 2007

On Wed, Mar 07, 2007 at 09:10:49PM +0000, David Cantrell wrote:
> On Wed, Mar 07, 2007 at 05:20:31PM +0000, Dominic Mitchell wrote:
> > You're creating a damned web page.  You need to escape pretty much
> > everything.  Not escaping things should be the exception, rather than
> > the other way around.  Otherwise it gets forgotten and guess what?  Lots
> > of XSS attacks.  Yay!
> I don't understand "XSS" attacks.  Anyone permitting random strangers to
> embed *whatever the fuck they like* in his site has FAR bigger problems
> than that his users might run some bit of Javascript they don't want.

Yeah, but the point is that most people don't intentionally want to do
this, they do it by accident.  Because our tools make it so damned
difficult to do the right thing.


More information about the mailing list