These fields are coming from the database, and the table is populated with data from Amazon.com. I prefer scrubbing it on the way in (admittedly not doing that at the moment because I figured if you can hijack Amazon.com's servers you're going to get me if you want to anyway). The fewer places I have to worry about it, the better. On 6/19/06, Dries Buytaert <dries.buytaert@gmail.com> wrote:
On 19 Jun 2006, at 16:50, Earl Dunovant wrote:
What was the query you used to identify the problem? I think amazon.module is one of the false positives, but I want ot make sure I'm looking at the same thing you are.
This line is vulnerable (amongst other):
$datacell .= "<img src=\"$node->smallimageurl\" height=\"$node-
smallimageheight\" width=\"$node->smallimagewidth\" alt=\"cover of $node->title\" />"
-- Dries Buytaert :: http://www.buytaert.net/