28 Sep
2015
28 Sep
'15
2 p.m.
2015-09-28 16:54 GMT+03:00 Shlomi Fish <shlomif@shlomifish.org>:
Because cross-site scripting (XSS) can be a serious security vulnerability. Let's suppose you put a field called "myfield" that was input from the user directly into the HTML:
<td><% myfield %></td>
Then a malicious user can put something like this in "myfield":
<script type="text/javascript">alert('XSS!')</script>
And this is just the beginning of malicious JS that can be inserted.
For a cautionary measure, see:
Some template-engines treat your variables as potentially dangerous unless you don't tell otherwise. For example Text::Xslate https://metacpan.org/pod/Text::Xslate#Smart-escaping-for-HTML-metacharacters Wbr, -- Kõike hääd, G