Re: [tlug] Do you whitelist or blacklist utf-8?

["Stephen J. Turnbull" <stephen@example.com>]

Edmund Edgar writes:

 > For example, if you're letting people input a URL which you then
 > display as a link, they can create all kinds of mischief by putting
 > interesting stuff in the URL, which is going to end up between the
 > tags in your anchor tag.

Sure, but if you're letting them input URLs that you display as links,
you're already in trouble because there's one "script engine" you're
never going to be able to "purify": the user at the browser.  Ie, the
URL can take the user to a site where "social engineering" is
practiced.

For example, any URL can be served by a script that simply displays
the referrer page again, with all the links replaced with hacked
links.  Or if the script can't get the referrer page because it's not
authenticated with the referring system, it can display a
"Experiencing technical difficulties" page, with a hacked "Try Again"
button.

No, I don't *do* stuff like this, I just have that kind of mind.