On Tue, Nov 13, 2012 at 4:45 PM, Kevin <ikke@xxxxxxxxx> wrote: > The problem with input filtering is that you can only filter for one > output scenario. What if the the input is going to be output in a wiki > like environment, or to pdf, or whatever? Then you have to unescape > the data again, and maybe apply filtering/escaping for those > environments. > > You only know how to escape data when you are going to output it, so > then is the the best moment to escape it. Also there are so many ways to evade XSS filtering https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet If you can and should escape data (like in our case), it cannot not work; not possible to evade it. -- Jakub Narebski -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html