brianmario
commented
14 years ago Added in commit http://github.com/brianmario/escape_utils/commit/bb382d030b2564cd0e410297dba5d2d89ec78e40
Thanks for pointing it out
Closed thinkerbot closed 14 years ago
brianmario
commented
14 years ago Added in commit http://github.com/brianmario/escape_utils/commit/bb382d030b2564cd0e410297dba5d2d89ec78e40
Thanks for pointing it out
Just thought you might like to know the Open Web Application Security Project (OWASP) recommends escaping slash as well as the standard 5 characters you're escaping. If you read their xss prevention cheat sheet they actually recommend gt, lt, amp, quot, apos, slash and all characters with ASCII values less than 256.
I opened an issue with rack regarding the slash but neglected to mention the ASCII character thing because it could be slow. I thought you might be interested because the performance hit shouldn't be so bad in absolute terms given that you're in C. Here is a link to the rack issue: http://github.com/rack/rack/issues#issue/27
Cheers!