What's the point?
If user puts in a search input something like <script>alert('I am super
hacker');</script>
And the website outputs:
You are searching for: <script>....</script>
then what? it shows an alert(), who cares?
I, as an owner of this website, don't mind AT ALL.
Aha, forget to mention the XSS on MySQL or inside comments right? Isn't
mysql_real_escape_string(), strip_tags() enough?
Martin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
