[thelist] CSS
Charles F. Johnson
charles at littlegreenfootballs.com
Thu Jun 14 13:46:27 CDT 2001
Tobyn Baugher <trb at cartoonviolence.net> typed:
> Of course, you would never allow users to specify strings that are used
> directly in your code with no input checking. This is fine for a short
> example, but keep in mind that coding like this in general is a security
> nightmare :)
>
> Not that you write insecure code, I've just seen it way too much.
>
> Regards,
> Toby
toby,
right you are and thanks for the caveat. in general, never a good idea to
pass URLs in a query string without inspecting them. but i don't know if
anything evil can be achieved by changing the stylesheet in a <LINK> tag,
except to make the page unreadable for whoever put in the bogus url.
(undoubtedly someone will now tell me how a resourceful script kiddie can
cause thermonuclear armageddon by manipulating the "border-style"
attribute...)
charles johnson
lgf web design
http://littlegreenfootballs.com
More information about the thelist
mailing list