Unsubscribe

created 19 November 2008 in notes tagged cms and mailinglist.

You really want your template language to automatically escape all strings unless they’re flagged as ‘I know this contains HTML and I know what I’m doing’. This stops many trivial forms of cross-site-scripting attacks.

You probably also want certain columns of your database to be annotated in such a way that your CMS doesn’t accidentally display them to users.