|
|
|
|
|
|
by neilk
4695 days ago
|
|
|
A strategy of 'escaping' assumes that the partner system does the right thing with its data. This is not always the case. For instance, it may be perfectly fine in my system to have a user named '<script>alert("ha!")</script>'. Are you sure that's okay in your PHP-based web forum? Really sure? Every place they've ever shown a username to the user, it's well-escaped? And even if that's true today, what about the day when someone decides to change the web forum software to something else? What about the day when someone turns on a feature that copies certain forum threads to an internal support system, also provided by a third party? |
|
|