jferrai at us.ibm.com
Fri Jul 20 10:31:11 PDT 2007
I got your note about whether we should say something in the security white
paper about innerHTML and code injection risks. I am copying the Security
TF to allow the experts to respond.
It does seem to me that we should mention and show an example of how there
model for an HTML element is plain text and then simply does an
myElement.innerHTML = textStringFromServer
but if the textStringFromServer looked like this "<script>...</script>"
then script would be injected.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security