Can't then any hacker, or even someone accidently, POST literally any code whatsoever?
This website has been around for a long time, and many of the greatest Perl hackers of all time have passed through these halls. Do you really think no one here knows about Bobby Tables? And I believe you were linked to Markup in the Monastery already, did you take the time to look at that? Or perhaps tried to post some <script> tags yourself to see whether XSS attacks are even possible?
If you want to show that you're here to help and improve things, I would suggest you start looking at the codebase, which you've been given access to. Otherwise, people are going to lose patience and start assuming you're just trolling.
| [reply] [d/l] |
> Otherwise, people are going to lose patience and start assuming you're just trolling.
Duck typing tells me somewhere between Dunning-Kruger Effect and natural born trolling.
Doesn't matter where exactly in between because both are valid reasons to stop feeding.
Though impressive how fast you can become pmdev without proving any expertise or even knowledge of the site ...
| [reply] |
| [reply] |
don't trust user input
That is absolutely correct. All the assumptions and conclusions you’re piling on top of it are not. <script src="//hax0r.cx/pwnd.js"></script> can sit as is in the database just fine, as can Tye');DROP TABLE Monks;-- and any other content treated properly going in and coming back out.
| [reply] [d/l] [select] |