[by normanrichards]

I don't believe it has. I didn't follow up on my earlier comments here because after doing the basic work to secure the Ext app I was working on, I moved on to work on another project that happened...

[by normanrichards]

Bingo!

So far I haven't found anything in extjs that hasn't been relatively easy to make encode things correctly. The real challenge has just been figuring out what to do. There's a lot of noise...

[by normanrichards]

This is not necessarily true, and it's completely irrelevant. First, HTML text *is* a valid data type, and there is no reason you shouldn't store it in the database if your type is HTML. When it...

[by normanrichards]

Can you clarify what "injecting some javascript into the application" means in this context? Do you mean you that you are injecting javascript into YOUR browser? If so, how does this affect...

[by normanrichards]

Ok, so are you saying that no HTML unsafe data should ever be stored or sent to the client? (No "I <3 puppies" or "My favorite html tag is <blink>" -anything that could be potentially misunderstood...

[by normanrichards]

OK - now we are getting somewhere. Let's clarify this idea some. What insecurity of javascript are you worried about? The only person who can bypass the HTML encoding in my browser is me, right? ...

[by normanrichards]

Chods - how exactly do you disable encoding on MY browser? If the client properly encodes data from the server before inserting it into the html, where is the issue? Nobody cares what you do with...

[by normanrichards]

Chods - I think you are confusing issues. Let's take the "I <3 puppies" example again. Is this a valid data value, perhaps for a user's display name in an application? It depends on your...

[by normanrichards]

I will disagree, but only in an orthogonal way. You are correct that the server should validate data. However, that doesn't mean that the server should consider the presentation layer encoding...

[by normanrichards]

Yeah - after an afternoon of digging deeper, it seems that htmlEncode is the answer. Adding ':htmlEncode' over all my XTemplates has been easy. Now I get to play with the trees and grids. ...

[by normanrichards]

I absolutely agree that escaping data for HTML is a fundamental concern of an HTML presentation layer. Your data is not HTML, and when it is added to an HTML document it must be escaped. There is a...