|
I concur, and it's not likely since one sproc does nothing but put it in a cell, and the other does nothing but pull it out of the cell and send it back to the web server for direct delivery to the client.
As far as I can see the vulnerability is with the client, since embedded scripts will break application integrity on the client side, and possibly cause harm to other users who view the content if it is not adequately scrubbed. I suppose one issue under discussion is whether or not encoding the HTML on the client prior to uploading it is sufficient to inhibit scripting attacks, and so far I'm outnumbered three to one here, the three asserting that it is not sufficient. I am not convinced because a user's input must be able to circumvent the JavaScript encoding process from adequately scrubbing executable code, and only an unstable system would possibly allow that.
Any thoughts on this?
Last edited by sbhmf; 01-10-2013 at 08:12 AM..
|