> This sounds like a good approach, but it's worth noting that XSS is
> fundamentally an escaping problem, not a filtering one. Nitesh Dhanjani
> discusses this a bit here:
>
> http://oreillynet.com/onlamp/blog/20...of__outpu.html
>


Yes and no. From the article:
-----------------
Therefore, I frequently come across situations where developers fix XSS
problems by attempting to filter out meta-characters (<, >, /, “, ‘,
etc). At times, if an exhaustive list of meta-characters is used, it
does solve the problem, but it makes the application less friendly to
the end user – a large set of characters are deemed forbidden.
------------------

If the input that you are wanting to display is (eg) a surname, then
certainly, escaping will serve your purposes. However, if you are
wanting your user to be able to input HTML and then view it as HTML,
escaping isn't sufficient. The combination is required.

__________________________________________________ ______________________

Clinton Gormley clinton@traveljury.com

www.TravelJury.com - For travellers, By travellers