mailing list archives
Re: guestbook script is still vulnerable under apache
From: surfboy () DARKWAVE ORG UK (Andrew Clegg)
Date: Fri, 26 Jun 1998 09:50:30 +0100
Quoting Lars Eilebrecht (Lars.Eilebrecht () UNIX-AG ORG):
IMHO the guestbook script should not try to strip out SSIs, but rather
reject every input which contain the sequence "<!--#".
Personally I favour replacing every < with a < and every > with a >
That way the users get out exactly what they put in...