demos contain cross site scripting

[ik5]

When adding to input html/xml code (such as ), it does not escape the code, and embed it inside as it was a javascript code.

I expect any input to have been escaped to the literal representer with HTML, unless it was configured to that specific location to keep it "as-is".

[silvioprog]

All the online demos are very simple, but you can update it for strip all HTML/XML scripts. The online chat demo (http://brookframework.org/demos/others/chat/cgi1.fbf) don't allow HTML/XML scripts, please test it.

Can you open a pull request with updated demos? We would be very grateful! :)

ps. In chat demo I used the RUtils.StripHTMLMarkup (https://github.com/silvioprog/rutils/blob/master/src/rutils.pas#L106).

[ik5]

I'll require some time to learn the code, and I'll for the project and add it :)
I think it's very important to educate people to work properly, and secure, even when things are considered to be simple.

[silvioprog]

I fully agree. :)

Please feel free to implement it.

[silvioprog]

Fixed (47e1455).

Please test it and close if OK. ;)

Thank you! :)

ps. I'll update online demos as soon.

[ik5]

Obrigado,

You do not have to strip HTML elements, just escape them :)
I looked at the source code, and it looks ok.