[4095] in WWW Security List Archive
Re: Front-Page extensions?
daemon@ATHENA.MIT.EDU (bracha@eye-on.co.il)
Sun Jan 26 14:52:27 1997
From: bracha@eye-on.co.il
Date: Sun, 26 Jan 1997 19:54:26 +0200
To: Adam Shostack <adam@homeport.org>
CC: Leonid S Knyshov <wiseleo@juno.com>, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Adam Shostack wrote:
>
> Leonid S Knyshov wrote:
>
> | >HTML in and alter the formatting of the message you are giving.
> | >This can be abused: I put "<!--" at the end of my message. The
> | >messages I
> | >put in after that did not appear.
> |
> | That is what Safe Cgi is all about, we must filter all information
> | to exclude illegal characters such as <>, \n,;, | etc...
>
> No, we must filter to only allow those characters we know are safe,
> otherwise most people will make the etc set too small, and allow
> attacks.
>
> That which is not explicitly permitted is denied.
>
> Adam
>
> --
> "It is seldom that liberty of any kind is lost all at once."
> -Hume
Take me off this dumb list!!!!!Take me off this dumb list!!!!!Take me
off this dumb list!!!!!Take me off this dumb list!!!!!Take me off this
dumb list!!!!!Take me off this dumb list!!!!!
