Topic: Converting only completed tags
Hi,
First of all, please forgive me if this has been brought up before - I suspect it has but couldn't find it looking through the forum.
I'm specifically interested in using Htmlaw for XSS prevention (thank you so much for creating it and making it available!). I present a form to the end user and they enter data - I pass it through Htmlaw and the result is save to the Db (it can't be done on output for legacy reasons in the app - I'm going to change that in a future version).
If the user submits something as simple as `<` it gets encoded to be `<`. Could you clarify they this is? I don't quite understand how a single bracket could be a security issue. Continuing that theme `2014<<2015` for example would be `2104<<2015`.
Might it be possible that if only one of `<` or `>` were found in a string then there is no need to convert it?
Regards,
Allan