

The curiosity killed the cat - fossguy
http://blog.sucuri.net/2009/08/curiosity-killed-cat.html

======
swolchok
I bet those text-based browsers aren't subject to the same level of security
audits as the more popular ones. I hope they're sandboxing said browsers
properly...

~~~
sucuri2
In our case, we audited and were very careful with the data... Who knows what
other sites are doing. A funny note is that since I published that article,
the number of attempts increased :)

------
ars
"We took the approach to htmlspecialchars() every single GET/POST variable
even before processing them."

Didn't PHP magic_quotes prove that that is a really bad idea?

~~~
sucuri2
PHP magic_quotes proved that doing that by default for every application is a
bad idea. Plus, lots of developers weren't even aware of that...

In the case of our specific tools (with some limited user input), it worked
great.

