Re: [htdig-dev] Re: Dangers of posting images: Pretty examples

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Fri, Oct 19, 2001 at 09:22:00AM -0500, Gilles Detillieux wrote:
> I have to disagree with you on this point.  Whether the default syntax
> is insecure or not depends totally on the context in which the template
> variable is used, and how that template variable is generated.

No, it doesn't depend on the context. The default syntax passes client
supplied data unchanged and untested to the result page. This is something
that should never happen, under no circumstance.
Things like STARSLEFT are totally different, they do not use client
supplied information and so are not vulnerable to cross site scripting
attacs. WORDS is.

Yours, Florian.