On Thu, Dec 8, 2011 at 9:14 AM, BRIAN TINGLE
<[log in to unmask]> wrote:
> On Dec 7, 2011, at 2:19 PM, Robert Sanderson wrote:
>> * Lax Security -- It's easier to get into trouble when you're simply
>> inlining HTML received, compared to building the elements. Getting
>> into the same bad habits as SQL injection. It might not be a big deal
>> now, but it will be later on.
>
> I've been scratching my head about this one. Can someone elaborate on this?
If you blindly include whatever you get back directly into the page,
it might include either badly performing, out of date, or potentially
malicious <script> tags that subsequently destroy the page. It's the
equivalent of blindly accepting web form input into an SQL query and
then wondering where your tables all disappeared off to.
Rob
|