[OSM-dev] Website Security
Thomas Krüger
openstreetmap.org at nospam.nowire.org
Thu Nov 8 06:38:28 GMT 2007
Joerg Ostertag schrieb:
> The quick and easy minimum cure for this would be to disallow/remove the
> characters <,>,UTF8(<),UTF8(>) from the input.
> This would at least cure from the easy exploitability.
The typical way to prevent HTML and JavaScript injection is to use the
html-quote function offered by most languages. It quotes all special
characters used in HTML to their entities.
Just replacing < and > may not be enough you also need to replace " and
' if user defined data is put into HTML attributes.
Web developers should ALWAYS html-qoute external data (forms, DB, ...)
on output.
BTW: "<" and ">" are the same in iso-8859-x and utf-8 (0x3c and 0x3e)
Thomas
More information about the dev
mailing list