|
|
Posted by shimmyshack on 02/14/07 16:09
On 14 Feb, 15:29, "Dave Mennenoh" <d...@blurredistinction.com> wrote:
> PS - thanks for the hint on removing the htmlentities - that seems to have
> done it.
>
> --
> Dave -
> Head Developerwww.blurredistinction.com
> Adobe Community Experthttp://www.adobe.com/communities/experts/
the security risk is real - but oblique I admit - you have to be
interested in this kind of thing and read up on it.
if you store html in your tables, and then just blat it out onto a
webpage, whats to stop someone injecting some dogy code into your
data, which gets stored away, and then released inside your webpages.
Unless you are totally secure that your database is invulnerable, I
would look into making sure that you dont end up with a defaced rss
feed. a
It works the other way too, people often use rss feeds with clever
code in them, to steal data from competitors websites which decide to
include those feeds uncleaned into the content of their pages. So in
that case you would deliberate code js and html that gets passed the
filters (if they are using any - which your attitude shows is quite
often the case!) then you can steal session data, cookies, even probe
intranets and deliver the content back through the webpage to your own
server.
Basically trusting html or any other code and just including it is
preparing yourself for the day when you have forgotten how it works,
and someone days 'ere look at this... cor matey lets 'ave some fun
innit!
Navigation:
[Reply to this message]
|