small medium large xlarge

29 May 2008, 08:33
Glenn Andert (1 post)

The view template for the catalog page (store/index) does not escape the Description column in the Products table during the display because you want to allow the product description to be formatted using HTML markup. The footnote on page 96 mentions the security risk. It does not mention another risk: innocent data entry mistakes in the product description can cause the resulting HTML to be malformed in some way, which can leave the entire page broken in a pretty ugly fashion. In many applications, one would need a helper method that would remove any markup from the description that would render the resulting html malformed.

You must be logged in to comment