PHP - security etc
dom at happygiraffe.net
Thu Mar 8 14:29:37 GMT 2007
On Wed, Mar 07, 2007 at 09:10:49PM +0000, David Cantrell wrote:
> On Wed, Mar 07, 2007 at 05:20:31PM +0000, Dominic Mitchell wrote:
> > You're creating a damned web page. You need to escape pretty much
> > everything. Not escaping things should be the exception, rather than
> > the other way around. Otherwise it gets forgotten and guess what? Lots
> > of XSS attacks. Yay!
> I don't understand "XSS" attacks. Anyone permitting random strangers to
> embed *whatever the fuck they like* in his site has FAR bigger problems
Yeah, but the point is that most people don't intentionally want to do
this, they do it by accident. Because our tools make it so damned
difficult to do the right thing.
More information about the london.pm