PHP - security etc

Simon Wilcox essuu at ourshack.com
Thu Mar 8 15:13:21 GMT 2007


On Thu, 8 Mar 2007, Dominic Mitchell wrote:

> Mason works great for me:
>
>   % $foo = "<b>@</b>";
>   <% $foo %>            # &lt;b&gt;@&lt;/b&gt;
>   <% $foo |n %>         # <b>@</b>

And what does this output ?

   % $input = "<blink>I rulez</blink>"; # or a cgi param :-)
   % $foo = "<b>$input</b>";
   <% $foo %>            #
   <% $foo |n %>         #

I don't think either is what you want, which is

<b>&lt;blink&gt;I rulez&lt;/blink&gt;</b>

So you still have to deal with escaping html by hand. Or am I wrong here ?

Simon.

-- 
"So long and thanks for all the fish"



More information about the london.pm mailing list