[Clipart] Fwd: [Bug 689839] Re: internet explorer save button not working
eady at galion.lib.oh.us
Tue Mar 29 11:24:28 PDT 2011
Piers Haken <piersh at hotmail.com> writes:
> In general you should NEVER put text into an HTML document without
> encoding it first. You should NEVER treat text from the user as
Well, unless the text is trusted or carefully sanitized first, but yeah.
In Perl there's a standard module for this (HTML::Entities), but I have
no idea how it's usually done in PHP.
(Of course, if you want to be draconian you can just REMOVE any
characters that aren't on an approved list of characters allowed in that
field, which for full names on an English-language site could consist of
A-Z, a-z, space, maybe underscore or hyphen, and possibly apostrophe.
But it's not really necessary to be that harsh. Just encoding special
characters as entities is good enough to prevent code injection.)
Galion Public Library
More information about the clipart