WebApp Sec mailing list archives
Re: HTML entity bignums
From: "Ulf Harnhammar" <metaur () operamail com>
Date: Thu, 31 Jul 2003 13:36:55 +0100
IMNSVHO there is *no* situation where you may want to allow HTML from any untrusted or unknown source. It is always a better option to use different (simpler!) formats that are then turned to html by the web app.
This works well in web forums, where users can use some simple BBcode or something (although that has security problems of its own, if you're not careful). I'm not so sure if it works in situations where you want a more complex language. Are users willing to learn a new language with the capabilities and complexity of HTML, just because the developers decided that HTML was too insecure? Being able to use the familiar HTML language might be seen as a competitive advantage when comparing programs. // Ulf Harnhammar -- ____________________________________________ http://www.operamail.com Get OperaMail Premium today - USD 29.99/year Powered by Outblaze
Current thread:
- HTML entity bignums Ulf Harnhammar (Jul 29)
- Re: HTML entity bignums Ingo Struck (Jul 29)
- Global Web App Security Sity Pessoft (Jul 30)
- <Possible follow-ups>
- Re: HTML entity bignums Ulf Harnhammar (Jul 30)
- Re: HTML entity bignums Ingo Struck (Jul 30)
- Re: HTML entity bignums Ulf Harnhammar (Jul 31)
- Re: HTML entity bignums Ingo Struck (Jul 29)