[cgiapp] Re: Nothing fancy but IE chokes?
Robert Hicks
sigzero at gmail.com
Tue Jan 1 21:11:20 EST 2008
Michael Peters wrote:
> Robert Hicks wrote:
>> You are right *but* the code for that comes from:
>>
>> <title>[% webpage_title %]</title>
>
> This probably isn't your problem, but all input that goes in your templates
> should be HTML escaped unless you know it has been earlier. TT makes this very easy:
>
> <title>[% wepage_title | html %]</title>
>
> Not only will this allow your variables to contain things like "&" and "<"
> without problems, but it will also protect you against XSS attacks.
>
Thanks for the tip!
Robert
More information about the cgiapp
mailing list