27 Feb
2003
27 Feb
'03
9:12 p.m.
At 12:28 PM 2/27/2003, Jamie Heilman wrote:
Jaroslav Lukesh wrote:
OK, this kind of questions are here every month. Use mixed HTML/DTML construction:
<base href="<dtml-var URL1>">
No. You mean <base href="&dtml-URL1;">. Never place client-controlled data into a document without the proper contextual escaping.
By "proper contextual escaping" do you mean automatic HTML quoting? Last I heard, that was the only difference between the two syntaxes. HTML quoting is great for echoing back client input safely, but it's hard to see the urgency in this case. Or does entity syntax now provide something I'm unaware of? Dylan