incrediBILL - 3:31 pm on Dec 8, 2011 (gmt 0)
Sorry guys, I don't buy the argument that because SOME sites need to be able to have long strings input means ALL sites need to be vulnerable. That's the argument I'm hearing from some, if you sanitize the input then WE will have issues. Being left wide open for all to be vulnerable is just silly and unnecessary.
Truth is most sites, except technical forums, don't need such unfiltered input and there is no value whatsoever in leaving everyone vulnerable just because a few might benefit.
Worse case, the admin control panel could offer a range of input filtering from completely sanitized as I described to loosely sanitized. Members that need such unfiltered input capabilities could even have it issued on a per account basis.
Like I said before, securing the web isn't rocket science.
Convincing people to do the things that need to be done, that's where the difficulty lies.