[htmltmpl] option to turn ESCAPE=HTML on by default
Brought to you by:
samtregar
Menu
▾
▴
[htmltmpl] option to turn ESCAPE=HTML on by default
|
From: Mark S. <ma...@su...> - 2005-10-14 14:43:32
|
Hello,
I'm curious about what other people think about an option to
turn ESCAPE=HTML on default, to protect against cross script scripting
practices by default.
This seems especially valuable when the convenient "associate => $q"
option is used.
Then programmers would be forcing themselves to consciously add
"NOESCAPE=html" to a tag.
To me, this seems like the equivalent of turning "use strict" on by
default, and explicitly declaring "no strict" where needed.
Thoughts?
Mark
|
