[htmltmpl] Re: option to turn ESCAPE=HTML on by default
Brought to you by:
samtregar
Menu
▾
▴
[htmltmpl] Re: option to turn ESCAPE=HTML on by default
|
From: Mark S. <ma...@su...> - 2005-10-14 15:26:24
|
On 2005-10-14, Roger Burton West <ro...@fi...> wrote:
> On Fri, Oct 14, 2005 at 06:49:40PM +0400, Alex Kapranoff wrote:
>>* Mark Stosberg <ma...@su...> [October 14 2005, 18:37]:
>>> I'm curious about what other people think about an option to
>>> turn ESCAPE=HTML on default, to protect against cross script scripting
>>> practices by default.
>>All for it. About 10% of my TMPL_VARS are not escaped. "NOESCAPE=html"
>>looks very confusing. Should probably be "ESCAPE=none".
You are right. Thanks for the refinement.
Mark
|
