Clinton Gormley wrote:
> If the input that you are wanting to display is (eg) a surname,
> then certainly, escaping will serve your purposes. However, if
> you are wanting your user to be able to input HTML and then
> view it as HTML, escaping isn't sufficient. The combination is
> required.

That XSS is fundamentally an escaping problem does not mean escaping is
a substitute for filtering, nor vice versa. (Filter input; escape
output.) I wasn't suggesting otherwise.

Escaping preserves data. If you want HTML to be interpreted, then it's
markup, not data that you want to preserve. As I said, the approach you
described for HTML::StripScripts::Parser sounds pretty good for this,
but any technique that tries to solve XSS with filtering alone is
error-prone, because it doesn't address the root cause of the problem.
This can't be avoided in some cases, but that doesn't make it a "yes and
no" issue.

Hope that helps.


Chris Shiflett